Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Atoosa Khoda 96 posts 148 karma points
    Mar 27, 2023 @ 01:09
    Atoosa Khoda
    0

    CGI Generic Command Execution (time-based)

    Our recent PEN test has revealed penetration shortfall on the web server we run our Umbraco website. The description of the error is as below:

    CGI Generic Command Execution (time-based)

    https://www.tenable.com/plugins/nessus/44967

    I'm not sure where to start with this particular security issue, not even sure if it's a code and development related, db related, website config related, IIS setting related, or the machine itself.

    Any hint from those who have experience is highly appreciated.

    Thanks Atoosa

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Mar 27, 2023 @ 06:14
    Huw Reddick
    0

    It is web server related, nothing to do with Umbraco. Allowing CGI scripts is an IIS configuration setting.

  • Atoosa Khoda 96 posts 148 karma points
    Mar 27, 2023 @ 06:52
    Atoosa Khoda
    0

    Thanks. I've checked the CGI isn't even enabled on our server. Any other ideas?

    enter image description here

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Mar 27, 2023 @ 08:28
    Huw Reddick
    0

    are you using any custom forms on your umbraco site?

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Mar 27, 2023 @ 08:29
    Huw Reddick
    0

    Seems https://www.tenable.com/plugins/nessus/43160 tells it is based on the response time which could generate false positive. Are you sure 100% you never ever build yourself any part of a SQL string ?

  • Atoosa Khoda 96 posts 148 karma points
    Mar 27, 2023 @ 09:21
    Atoosa Khoda
    0

    We're using Umbraco Form. By SQL String do you mean using sql statement directly inside the application? No, we're using true Model, View , Controller and LINQ.

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Mar 27, 2023 @ 09:30
    Huw Reddick
    0

    Then it is probably not likely to an issue and is just a false positve

Please Sign in or register to post replies

Write your reply to:

Draft