Tracking a Vulnerability from Detection to Resolution

Acunetix is not just a web vulnerability scanner, it is a full vulnerability management solution. In this article, we want to show you the entire process of finding a vulnerability and then fixing it. You will see how features of Acunetix make this process much faster and easier than it would be if you were using a simpler scanner.

Step 0. Create a Vulnerable Application

Before you can see how Acunetix helps you find and fix a vulnerability, you need a vulnerable web application. We will first install a local web server and create an application with a critical vulnerability. Of course, these steps would not be necessary if you were scanning your own websites and web applications.

This simple web application contains just one page, which:

  • Shows you a list of text files that are stored in a directory
  • Asks you to specify a filename from that list
  • Displays the content of the specified filename

You can implement this web application on any operating system. In this article, we used a fresh installation of Debian 10.

Install the Web Server

1. Install the Apache2 web server and PHP using the following commands:

apt update
apt upgrade
apt install apache2 php

The root folder of the vulnerable web application will be /var/www/html/ and will contain a subfolder /var/www/html/library/. The /var/www/html/ folder will contain 2 files:

  • index.html
  • catfile.php

2. Create the file /var/www/html/index.html with the following content:

<html>
	<head></head>
	<body>
		<h1>Internal Resources</h1><br><br>
		<a href="catfile.php">Document Library</a>
	</body>
</html>

3. Create the file /var/www/html/catfile.php with the following content:

<?php
$base_folder = "/var/www/html";
$file=$_POST["filename"];
if (!empty($file)) {
  echo "<h1>This is the content of the file using the file_get_contents instruction</h1><br>";
  $filetext=file_get_contents($base_folder . "/library/" . $file);
  echo $filetext;
}
else {
  $filelist = array_diff(scandir($base_folder . "/library"), array('..','.'));
  $i=1;
  echo "<h1>List of available files</h1><br><br>";
  echo "<table border="1" style="padding:5px">";
  foreach ($filelist as $value) {
    if ($i==1) echo "<tr>";
    echo "<td style="padding:5px">".$value."</td>";
    if ($i==5) {
      echo "</tr>";
      $i=0;
    }
  $i++;
  }
echo "</table><br><br>";
echo "<form action="catfile.php" method="post">";
echo "Enter desired filename: <input type="text" name="filename"><br>";
echo "<input type="submit">";
echo "</form>";
}
?>

4. Create an example text file to display:

echo $'example contentsn' > /var/www/html/library/Chapter_01.txt

Then, make additional copies of this file:

tee </var/www/html/library/Chapter_01.txt /var/www/html/library/Chapter_{02..40}.txt >/dev/null

5. Now, run your web server:

sudo systemctl start apache2

Step 1. Create a Target in Acunetix with AcuSensor

1. Create a target for your website specifying URL and a friendly description. In this example, the URL for the target is http://192.168.1.106/.

Click on the Save button to save your target.

2. On the Target Information page, enable AcuSensor and download the PHP AcuSensor file. Copy the acu_phpaspect.php file into the /acusensor folder on the web server (create the folder if necessary).

Click on the Save button at the top of the page to finish.

3. Create a temporary PHP file that calls the phpinfo() function.

The Loaded Configuration File row displays the php.ini file that you will need to change to enable PHP AcuSensor. Now, delete the temporary PHP file.

4. Use nano to edit the php.ini file:

sudo nano /etc/php/7.3/apache2/php.ini

Adjust the auto_prepend_file directive to read as follows:

auto_prepend_file = /acusensor/acu_phpaspect.php

5. Restart your web server for the new settings to take effect:

sudo systemctl restart apache2

The PHP AcuSensor is now activated for your web server and your web applications.

Step 3. Scan the Website for High-Risk Vulnerabilities

1. Go to the list of targets, select the target you have just created, and click on the Scan button.

2. In the Choose Scanning Options panel, change the Scan Type to High Risk Vulnerabilities and click on the Create Scan button.

You can now monitor the scan as it proceeds.

Step 4. Analyze Discovered Vulnerabilities

By default, the list of vulnerabilities will show all vulnerabilities with Open status. The list may contain results from other targets. You can use the filters at the top of the list of vulnerabilities to display only relevant entries.

Above, you can see the result of adding another filter to the list to show only vulnerabilities for your new target. You should see these 3 high-risk vulnerabilities:

  • PHP open_basedir is not set
  • PHP allow_url_fopen enabled
  • Directory traversal

Step 5. Fix the Vulnerabilities

You can fix the vulnerabilities exposed by Acunetix by adjusting the configuration of your web server or by adjusting your web application code, depending on the vulnerability and the root cause of the vulnerability. Some resolutions require you to modify the php.ini file – in such cases, you need to correctly identify which is the php.ini file in use (to avoid adjusting the wrong file).

Set the PHP open_basedir Directive

If the PHP directive open_basedir is not set, the code may attempt to access any location on the filesystem, without restriction. The open_basedir directive is used to set a base directory so that PHP will refuse any request by the code to access files or directories outside the directory tree specified in the directive.

1. Use nano to edit the php.ini file:

sudo nano /etc/php/7.3/apache2/php.ini

2. Adjust the open_basedir directive to read as follows:

open_basedir = "/var/www:/acusensor"

3. Restart your web server for the new settings to take effect:

sudo systemctl restart apache2

This adjustment will resolve the PHP open_basedir is not set vulnerability. This change will also indirectly partially mitigate the directory traversal vulnerability – but you will need to do some more work to fully resolve that; more about that later on.

Disable the PHP allow_url_fopen Directive

The PHP directive allow_url_fopen is enabled by default. This allows the web application to include files from external sources, potentially leading to remote file inclusion, code injection, and possibly other vulnerabilities.

1. Use nano to edit the php.ini file:

sudo nano /etc/php/7.3/apache2/php.ini

2. Adjust the allow_url_fopen directive to read as follows:

allow_url_fopen = Off

3. Restart your web server for the new settings to take effect:

sudo systemctl restart apache2

This adjustment will resolve the PHP allow_url_fopen enabled vulnerability.

Fix the Directory Traversal Vulnerability

In this case, you need to examine the code and locate the offending portion of the code. The AcuSensor feature allows Acunetix to pinpoint the exact location of the vulnerability in the code.

1. From the list of vulnerabilities, click on the Directory traversal vulnerability to view the detailed information panel for this vulnerability.

AcuSensor gives you all the information you need to locate and identify the vulnerability:

  • The URL: http://192.168.1.106/catfile.php
  • The parameter in the code that is being populated with potentially malicious data: filename
  • The name of the file and the line number: /var/www/html/catfile.php on line 22
  • The name of the PHP function: file_get_contents

Take a quick look at the code in question:

$file=$_POST["filename"];
if (!empty($file)) {
  echo "<h1>This is the content of the file using the file_get_contents instruction</h1><br>";
  $filetext=file_get_contents($base_folder . "/library/" . $file);
  echo $filetext;
}

You can see here that the filename parameter is a web form variable, which contains text inserted by the user. This text is then stored in the $file variable and is passed without validation to the file_get_contents function. Acunetix discovered this because it injected the value 1ACUSTARTFILE/../../xxx….ACUENDFILE into the web form. This value contains ../, which is a very typical signature of a directory traversal attempt. Acunetix has detected that this value has indeed been passed to the file_get_contents function without validation or filtration.

You can make a simple adjustment to the code to mitigate the issue. The main point to consider is that the value must be validated and/or filtered. You could start from the code listed above, and add some very simple validation code:

$file = $_POST["filename"];
$file_validated = str_replace ("../","",$file);

if (!strcmp($file, $file_validated) == 0) {
  header("Location: /");
  exit;
}

if (!empty($file)) {
  echo "<h1>This is the content of the file using the file_get_contents instruction</h1><br>";
  $filetext=file_get_contents($base_folder . "/library/" . $file);
  echo $filetext;
}

This code creates a copy of the $file variable: $file_validated and it strips out all occurrences of ../, if any. Then the two variables are compared and if they do not match, it means that the input value did contain the ../ string. In such a case, the user is redirected to the home page of the website.

Step 5. Confirm Fixes using Acunetix

1. In your filtered list of vulnerabilities, select the vulnerabilities you have just worked on, and click on the Retest button. This will create a custom scan to specifically test the selected vulnerabilities.

2. Go to your list of scans to look at the result of the custom scan – the Scan Type will start with the word Recheck. Once the scan is completed, you will see that the vulnerabilities are no longer there.

Step 6. Flag the Vulnerabilities as Fixed

In your filtered list of vulnerabilities, select the vulnerabilities you have just fixed and then select the Mark as → Fixed menu option to remove resolved vulnerabilities from the default view and from any other view that should exclude resolved vulnerabilities.

Results without AcuSensor

In some situations, it may not be possible for you to deploy the AcuSensor agent into your web application. AcuSensor may also be unavailable for your back-end technology.

In such cases (for critical vulnerabilities) Acunetix provides you with proof that the vulnerability exists, such as in this example:

THE AUTHOR
Kevin Attard Compagno
Technical Writer

Kevin Attard Compagno is a Technical Writer working for Acunetix. A technical writer, translator, and general IT buff for over 30 years, Kevin used to run Technical Support teams and create training documents and other material for in-house technical staff.


*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Kevin Attard Compagno. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/NPID_Y5MxiE/