0
Welcome Guest! Login
0 items Join Now

Nessus Scan on Joomla site

  • Nessus Scan on Joomla site

    Posted 7 years 5 months ago
    • Hi,

      I created a website for an insurance agent 3 years ago using one of the nice Joomla Rockettheme templates.
      The insurance company is now screening all websites which relate to their company and ran a Nessus scan on the website I created for them.

      The report is not really positive :(
      80+ high severity findings including: XPath injection; Cross-site scripting; Cleartext submission of password;
      70+ low severity findings.

      The insurance company will only allow me to keep the website of the insurance agent online if I fix all high and medium findings.
      I'm not comfortable enough to dive into the source-code and go and change all the stuff. I will end up destroying the website.

      Did anyone already had the same experience?
      Any suggestions how I could keep the website of my customer online?

      Some of the examples:


      1. XPath injection

      There are 11 instances of this issue:
      //index.php [name of an arbitrarily supplied URL parameter]
      /index.php/component/users/ [7146184903f7d45bf4799c91ff01805e cookie]
      /index.php/component/users/ [Referer HTTP header]
      /index.php/component/users/ [URL path folder 3]
      /index.php/component/users/ [User-Agent HTTP header]
      /index.php/component/users/ [a3ba68eae7130f37b948d41590dede11 cookie]
      /index.php/component/users/ [b6639cfe7d9a2f86e335aa87ed59261c parameter]
      /index.php/component/users/ [jform%5bemail%5d parameter]
      /index.php/component/users/ [name of an arbitrarily supplied URL parameter]
      /index.php/component/users/ [name of an arbitrarily supplied body parameter]
      /index.php/component/users/ [task parameter]


      3. Cross-site scripting (DOM-based)

      There are 68 instances of this issue:
      /
      //
      /index.php
      /index.php/
      /index.php/component/content/
      /index.php/component/content/article
      /index.php/component/content/category/10-producten/
    • Damir's Avatar
    • Damir
    • Preeminent Rocketeer
    • Posts: 22450
    • Thanks: 2679
    • Web Developer

    Re: Nessus Scan on Joomla site

    Posted 7 years 5 months ago
  • Re: Nessus Scan on Joomla site

    Posted 7 years 5 months ago
    • Hi Damir,

      Thanks for your quick reply. I'm not running on the latest version, I'm aware of that. But not sure if an upgrade will solve my problems.
      Please find below the details:

      Joomla! 2.5.9 Stable [ Ember ] 4-February-2013 14:00 GMT
      Joomla Platform 11.4.0 Stable [ Brian Kernighan ] 03-Jan-2012 00:00 GMT
    • Damir's Avatar
    • Damir
    • Preeminent Rocketeer
    • Posts: 22450
    • Thanks: 2679
    • Web Developer

    Re: Nessus Scan on Joomla site

    Posted 7 years 5 months ago
  • Re: Nessus Scan on Joomla site

    Posted 7 years 5 months ago
    • Allright, I upgraded to Joomla 3.6.4 today.
      Going to request a new scan. Will post the outcome!
    • Damir's Avatar
    • Damir
    • Preeminent Rocketeer
    • Posts: 22450
    • Thanks: 2679
    • Web Developer

    Re: Nessus Scan on Joomla site

    Posted 7 years 4 months ago

Time to create page: 0.053 seconds