1

I'm working through a security assessment report on a php app generated by Accunetix.

The report is claiming a SQL Injection vulnerability. The app is PHP with MySQL. Here's the headers it says are making the attack (specifically the accept-language header):

GET /user_login.php HTTP/1.1
user-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
accept-language: 1;select pg_sleep(1); --
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=35kno6h8kmkbin973q02gojp82; uniqueuser=1382404387
Host: xxx.xxx.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate

I haven't found "accept-language" or "accept_language" anywhere in the app. Also, pg_sleep() isn't a MySQL function.

I searched for a known vulnerability in PHP and didn't find anything. Is this a false positive, or am I missing something?

Improve this question
6
  • Is there a reason text or description in the report? It should refer specifically to what vulnerability it means, I'd have thought. Commented Nov 4, 2013 at 22:54
  • Those are headers that the client is sending to the server. Commented Nov 4, 2013 at 22:54
  • hakipedia.com/index.php/SQL_Injection#PostgreSQL_pg_sleep.28.29 Commented Nov 4, 2013 at 22:54
  • that could be the error. Unsupported function Commented Nov 4, 2013 at 22:55
  • Maybe they're reporting that you're not rejecting that invalid header, or you're doing something with it that you shouldn't. Commented Nov 4, 2013 at 22:56

2 Answers 2

Reset to default
3

Accept-Language is the request header sent by client's browser.

Accunetix were trying to manipulate these headers by injecting malicious code to find security wholes (imitating hackers) to test if you application is vulnerable to them.

If you haven't used accept-language header, or request headers in your DB queries, then probably it is a false positive. To make sure, see the response of that request, if the response is normal, then it is all OK.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hey thanks for the answer! I tried to reproduce it manually and wasn't successful. I think this was a false positive because the tool overwhelmed the server with requests, and it took more than 1s to respond to this.
1

The code will probably treat that header as a source for selecting the language, an that is done via a database query. And when generating the query, the contents of the HTTP header are improperly parsed.

The reason for you not seeing this might be because the fetching of the HTTP headers is done indirectly (like in $_SERVER[$language_header]).

Improve this answer

2 Comments

great answer! I searched for '$_REQUEST[$' to look for this. Obvious after the fact. Thanks!
Note that it is not necessary for an injection to successfully produce working SQL. When doing penetration testing, you'd usually stop when you have proof that you injected something (detected by interrupting the regular application function, possibly with an SQL error). Don't think too much about the fact that you use MySQL, and that the injection seems to use PostgreSQL. You can read a whole database simply by constructing working and failing SQL commands - it will take some time, but the information will leak bit by bit!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.