Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHgqqbTrd+Kc1YwwmR5iG2koU5brf0H+=EWjKJ1TbJ+L6LFPVQ@mail.gmail.com>
Date: Mon, 19 May 2014 10:48:17 +0300
From: Dolev Farhi <dolevf87@...il.com>
To: cve-assign <cve-assign@...re.org>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: Re: OpenFiler - Arbitrary Code Execution & Stored XSS

Yes,

OpenFiler uses the 'openfiler' user account for its' web user interface,
and port 446 is open for the UI administration.

in general, logged on user doesn't have direct shell access and the
OpenFiler appliance does not provide with an interface

to interact directly with the shell. this makes the command execution
problematic in terms of security as it allows an attacker to run

system commands and read arbitrary system files via the host name change
box.

Regarding the XSS vulnerability; OpenFiler allows LDAP authentication and
not just local user accounts, this may cause privilege escalations once a
regular user adds a malicious shared device..








On Mon, May 19, 2014 at 6:46 AM, <cve-assign@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Can you provide more information about how these issues cross
> privilege boundaries?
>
> As far as the GUI is concerned, the 'root' account is just a normal



> user. You need to log in as 'openfiler' to administer the system.
>
> Maybe there's an argument that one only needs network connectivity to
> TCP port 446 for the administrative web interface, but one needs
> connectivity to TCP port 22 (maybe?) to login as root.
>
> Also, http://www.exploit-db.com/exploits/33248/ seems to be about XSS
> attacks conducted by the openfiler account against the openfiler
> account.
>
> The issues can have CVE IDs only if there's privilege escalation in a
> realistic way.
>
> - --
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
>
> iQEcBAEBAgAGBQJTeX3gAAoJEKllVAevmvms9lsIALryes3uY6dITdbP/1R4ee/0
> FGFDq0WH8VvEwSiNzqGyavupGeq0O0X0PEkOnb3mwAcBV38X4MU3K7zsSGaoWEEt
> 4X7o7VU7XhewwSO6t+LabaVZcu0Vk3Y5sSDuOUH2GxmvGQcJAFstQF5bVp4Jan8q
> O4oz3T0ny9AX1rJhxcoII0ReatWsl5h7HrkskvS8DGwiqBlFAeUwQMr63gDYqCYK
> nHLl1dmrl9EGwKTOVeZcjUdmV5ElZtw6oTSsXrMYZKU5aeBb16mD+LpmHUFzyT3j
> oqoRdqUeZbxB8gxj2mVyp1n+7Pnt2vDvH5VE5+OADceaZV1pNDpoukVveWq34n4=
> =3gFo
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.