rphilip Posted June 29, 2010 Report Share Posted June 29, 2010 Hello:Several security databases has issued a warning regarding Uniform Server, claiming it is vulnerable to cross site scripting attacks. Please see:http://web.nvd.nist.gov/view/vuln/detail?v...d=CVE-2010-2113http://xforce.iss.net/xforce/xfdb/58844 Are these security threats real?Have they been fixed in the latest version? Thank You!-Ross Quote Link to comment Share on other sites More sharing options...
Ric Posted June 29, 2010 Report Share Posted June 29, 2010 A cross-site request forgery vulnerabilitySounds scary! “Are these security threats real?”Yes and no!“Have they been fixed in the latest version?”Nothing to fix! Note: First nag screen of 6.0.0-Carbo highlights this potential risk. Yes and No! Is a strange answer; let me explain: Putting your servers on-line you must change the MySQL password and enable password protection for Apanel. If you don’t password protest Apanel you expose your server to this specific attack as mentioned in links you provided. Although the above protects your server’s Apanel scripts it does not protect against third party scripts. These may have XSS (Cross-Site Scripting) vulnerabilities For a production server if you are really paranoid, don’t expose Apanel just rename or delete folder UniServer\home\admin.Again does not resolve any third party XSS issues? All the bestRic Quote Link to comment Share on other sites More sharing options...
rphilip Posted June 30, 2010 Author Report Share Posted June 30, 2010 Thank you for your quick and informative response!-Ross Quote Link to comment Share on other sites More sharing options...
BobS Posted July 29, 2010 Report Share Posted July 29, 2010 It appears to me that the most secure solution is to remove apanel when you put your UniServer in production. I'm not sure that changing the passwords alone will resolve XSS in this particular case, but I consider it a "must do" before I would expose UniServer to the Internet. Since the password is acted on via Apache, is that sufficient to thwart the threat? Until I know more about if and how a XSS could circumvent a password, I'd use Ric's solution an blast the apanel directory. The real question is whether the CVE report took into account the requirement for password changes, or just assumed that people would run it as-is. Bob Quote Link to comment Share on other sites More sharing options...
Ric Posted July 29, 2010 Report Share Posted July 29, 2010 Hi Bob“The real question is whether the CVE report took into account the requirement for password changes, or just assumed that people would run it as-is.“ The example code, which they used, did indeed assume run as is. Setting a password for Apanel there is no problem. As I mentioned anyone paranoid can rename the folder or delete it. All the bestRic Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.