Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 May 2014 23:46:40 -0400 (EDT)
Subject: Re: OpenFiler - Arbitrary Code Execution & Stored XSS

Hash: SHA1

Can you provide more information about how these issues cross
privilege boundaries?

There does not seem to be much documentation available on the web site, at least not under the page. says "You
can learn how to manage the Openfiler system by browsing the
administrator guide online which can be found here" and this is a link
to the URL, which yields a "Page
not found" error. (possibly
out-of-date) says "The official manual is not free."

As far as we can tell from the graphical-installation page, Openfiler
is a Linux distribution, and all of the Linux accounts (including
root) are under the control of an application-level account named
openfiler. The attacks seem to require access to this account or
possibly an equivalent account. Although the ability to use `
characters for shell commands is arguably a bug, an attacker with
access to the openfiler account can apparently change the root
password and other passwords, and then login directly to execute any
commands as root.

For example (again, possibly out-of-date):

  As far as the GUI is concerned, the 'root' account is just a normal
  user. You need to log in as 'openfiler' to administer the system.

Maybe there's an argument that one only needs network connectivity to
TCP port 446 for the administrative web interface, but one needs
connectivity to TCP port 22 (maybe?) to login as root.

Also, seems to be about XSS
attacks conducted by the openfiler account against the openfiler

The issues can have CVE IDs only if there's privilege escalation in a
realistic way.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ