Date: Sun, 18 May 2014 23:46:40 -0400 (EDT) From: cve-assign@...re.org To: dolevf87@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: OpenFiler - Arbitrary Code Execution & Stored XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can you provide more information about how these issues cross privilege boundaries? There does not seem to be much documentation available on the openfiler.com web site, at least not under the http://openfiler.com/learn page. http://www.openfiler.com/learn/how-to/graphical-installation says "You can learn how to manage the Openfiler system by browsing the administrator guide online which can be found here" and this is a link to the http://www.openfiler.com/docs/manual/ URL, which yields a "Page not found" error. https://forums.openfiler.com/index.php?/topic/3190-manual/ (possibly out-of-date) says "The official manual is not free." As far as we can tell from the graphical-installation page, Openfiler is a Linux distribution, and all of the Linux accounts (including root) are under the control of an application-level account named openfiler. The attacks seem to require access to this account or possibly an equivalent account. Although the ability to use ` characters for shell commands is arguably a bug, an attacker with access to the openfiler account can apparently change the root password and other passwords, and then login directly to execute any commands as root. For example (again, possibly out-of-date): https://forums.openfiler.com/index.php?/topic/3661-root-account-is-locked-down/ As far as the GUI is concerned, the 'root' account is just a normal user. You need to log in as 'openfiler' to administer the system. Maybe there's an argument that one only needs network connectivity to TCP port 446 for the administrative web interface, but one needs connectivity to TCP port 22 (maybe?) to login as root. Also, http://www.exploit-db.com/exploits/33248/ seems to be about XSS attacks conducted by the openfiler account against the openfiler account. The issues can have CVE IDs only if there's privilege escalation in a realistic way. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTeX3gAAoJEKllVAevmvms9lsIALryes3uY6dITdbP/1R4ee/0 FGFDq0WH8VvEwSiNzqGyavupGeq0O0X0PEkOnb3mwAcBV38X4MU3K7zsSGaoWEEt 4X7o7VU7XhewwSO6t+LabaVZcu0Vk3Y5sSDuOUH2GxmvGQcJAFstQF5bVp4Jan8q O4oz3T0ny9AX1rJhxcoII0ReatWsl5h7HrkskvS8DGwiqBlFAeUwQMr63gDYqCYK nHLl1dmrl9EGwKTOVeZcjUdmV5ElZtw6oTSsXrMYZKU5aeBb16mD+LpmHUFzyT3j oqoRdqUeZbxB8gxj2mVyp1n+7Pnt2vDvH5VE5+OADceaZV1pNDpoukVveWq34n4= =3gFo -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ