Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 18 May 2014 23:46:40 -0400 (EDT)
From: cve-assign@...re.org
To: dolevf87@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: OpenFiler - Arbitrary Code Execution & Stored XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can you provide more information about how these issues cross
privilege boundaries?

There does not seem to be much documentation available on the
openfiler.com web site, at least not under the
http://openfiler.com/learn page.
http://www.openfiler.com/learn/how-to/graphical-installation says "You
can learn how to manage the Openfiler system by browsing the
administrator guide online which can be found here" and this is a link
to the http://www.openfiler.com/docs/manual/ URL, which yields a "Page
not found" error.

https://forums.openfiler.com/index.php?/topic/3190-manual/ (possibly
out-of-date) says "The official manual is not free."

As far as we can tell from the graphical-installation page, Openfiler
is a Linux distribution, and all of the Linux accounts (including
root) are under the control of an application-level account named
openfiler. The attacks seem to require access to this account or
possibly an equivalent account. Although the ability to use `
characters for shell commands is arguably a bug, an attacker with
access to the openfiler account can apparently change the root
password and other passwords, and then login directly to execute any
commands as root.

For example (again, possibly out-of-date):
  https://forums.openfiler.com/index.php?/topic/3661-root-account-is-locked-down/

  As far as the GUI is concerned, the 'root' account is just a normal
  user. You need to log in as 'openfiler' to administer the system.

Maybe there's an argument that one only needs network connectivity to
TCP port 446 for the administrative web interface, but one needs
connectivity to TCP port 22 (maybe?) to login as root.

Also, http://www.exploit-db.com/exploits/33248/ seems to be about XSS
attacks conducted by the openfiler account against the openfiler
account.

The issues can have CVE IDs only if there's privilege escalation in a
realistic way.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTeX3gAAoJEKllVAevmvms9lsIALryes3uY6dITdbP/1R4ee/0
FGFDq0WH8VvEwSiNzqGyavupGeq0O0X0PEkOnb3mwAcBV38X4MU3K7zsSGaoWEEt
4X7o7VU7XhewwSO6t+LabaVZcu0Vk3Y5sSDuOUH2GxmvGQcJAFstQF5bVp4Jan8q
O4oz3T0ny9AX1rJhxcoII0ReatWsl5h7HrkskvS8DGwiqBlFAeUwQMr63gDYqCYK
nHLl1dmrl9EGwKTOVeZcjUdmV5ElZtw6oTSsXrMYZKU5aeBb16mD+LpmHUFzyT3j
oqoRdqUeZbxB8gxj2mVyp1n+7Pnt2vDvH5VE5+OADceaZV1pNDpoukVveWq34n4=
=3gFo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.