Jump to content
View in the app

A better way to browse. Learn more.
The Uniform Server Community

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security Vulneribility (XSS) in Uniform Server?

  •
rphilip
in Uniform Server - Windows

Featured Replies

Hello:

Several security databases has issued a warning regarding Uniform Server, claiming it is vulnerable to cross site scripting attacks. Please see:

http://web.nvd.nist.gov/view/vuln/detail?v...d=CVE-2010-2113

http://xforce.iss.net/xforce/xfdb/58844

 

Are these security threats real?

Have they been fixed in the latest version?

 

Thank You!

-Ross

  • Quote

    A cross-site request forgery vulnerability

    Sounds scary!

    “Are these security threats real?”

    Yes and no!

    “Have they been fixed in the latest version?”

    Nothing to fix!

     

    Note: First nag screen of 6.0.0-Carbo highlights this potential risk.

     

    Yes and No! Is a strange answer; let me explain:

     

    Putting your servers on-line you must change the MySQL password and enable password protection for Apanel.

     

    If you don’t password protest Apanel you expose your server to this specific attack as mentioned in links you provided.

     

    Although the above protects your server’s Apanel scripts it does not protect against third party scripts. These may have XSS (Cross-Site Scripting) vulnerabilities

     

    For a production server if you are really paranoid, don’t expose Apanel just rename or delete folder UniServer\home\admin.

    Again does not resolve any third party XSS issues?

     

    All the best

    Ric :)

  • Quote
    • 4 weeks later...

    It appears to me that the most secure solution is to remove apanel when you put your UniServer in production. I'm not sure that changing the passwords alone will resolve XSS in this particular case, but I consider it a "must do" before I would expose UniServer to the Internet. Since the password is acted on via Apache, is that sufficient to thwart the threat? Until I know more about if and how a XSS could circumvent a password, I'd use Ric's solution an blast the apanel directory.

     

    The real question is whether the CVE report took into account the requirement for password changes, or just assumed that people would run it as-is.

     

    Bob

  • Quote

    Hi Bob

    “The real question is whether the CVE report took into account the requirement for password changes, or just assumed that people would run it as-is.“

     

    The example code, which they used, did indeed assume run as is. :blink:

     

    Setting a password for Apanel there is no problem. As I mentioned anyone paranoid can rename the folder or delete it. :)

     

    All the best

    Ric :lol:

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing

    Account

    Navigation

    Search

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.