Potential Information Disclosure or Privilege Escalation in CGI

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
PastorOfMuppets
Posts: 4
Joined: Sat Sep 13, 2014 2:23 am

Potential Information Disclosure or Privilege Escalation in CGI

Postby PastorOfMuppets » Thu Dec 29, 2011 11:34 am

We have a third-party who scans our network for compliance and they used Nessus to find the following vulnerability. Any idea how to correct this?
Threat ID: 144134
THREAT REFERENCE
Summary:

Potential Information Disclosure or Privilege Escalation in CGI
Risk: Critical (4)

Type: Nessus

Port: 443

Protocol: TCP

Threat ID: 144134
Information From Target:

Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to unseen parameters :
/zimbra/css/common,login,zhtml.css?skin=&v=&debug=1
-------- output --------

P,TH,TD,DIV,SELECT,INPUT[type=text],INPUT[type=password],INPUT[typ [...]

P,TH,TD,DIV,SELECT,INPUT,TEXTAREA,BUTTON{font-family:"Helvetica Ne [...]

HTML{width:100%;height:100%;}

-------- vs --------

/*

* #define WINDOWS true

* #define MSIE_5_5_OR_HIGHER true

------------------------
Solution:


Inspect the reported CGIs and, if necessary, modify them so that

security is not based on obscurity.
Details:

By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.
This behavior suggests that such a parameter, while unseen, are used by the affected application(s) and may enable an attacker to bypass authentication, read confidential data (like the source of the scripts), modify the behavior of the application(s) or conduct similar attacks to gain privileges.
Note that this script is experimental and may be prone to false positives.


phoenix
Ambassador
Ambassador
Posts: 26698
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Potential Information Disclosure or Privilege Escalation in CGI

Postby phoenix » Thu Dec 29, 2011 11:49 am

[quote user="PastorOfMuppets"]We have a third-party who scans our network for compliance and they used Nessus to find the following vulnerability. [/QUOTE]Why not start by updating your forum profile with the output of the following command:



zmcontrol -v
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
PastorOfMuppets
Posts: 4
Joined: Sat Sep 13, 2014 2:23 am

Potential Information Disclosure or Privilege Escalation in CGI

Postby PastorOfMuppets » Thu Dec 29, 2011 12:10 pm

[quote user="10330phoenix"]Why not start by updating your forum profile with the output of the following command:



zmcontrol -v
[/QUOTE]
Release 7.1.3_GA_3346.RHEL5_64_20110928134520 CentOS5_64 FOSS edition, Patch 7.1.3_P1.
PastorOfMuppets
Posts: 4
Joined: Sat Sep 13, 2014 2:23 am

Potential Information Disclosure or Privilege Escalation in CGI

Postby PastorOfMuppets » Thu Dec 29, 2011 12:30 pm

I just contacted the third-party who is scanning us and they said we just need to turn debugging off so the output won't be different. Does anyone know the CLI command? I'm going to try and google it and find out.
Thanks.
synaptic
Posts: 1
Joined: Sat Sep 13, 2014 2:34 am

Potential Information Disclosure or Privilege Escalation in CGI

Postby synaptic » Mon Apr 23, 2012 10:54 pm

Did you ever find a resolution for this one? I'm also trying to disable it.
$ zmprov gacf | grep -i debug

zimbraHttpDebugHandlerEnabled: TRUE
$ zmprov gs `zmhostname` zimbraHttpDebugHandlerEnabled

# name mail.domain.com

zimbraHttpDebugHandlerEnabled: TRUE
I tried setting both of those to FALSE and restarting but it had no effect on the /zimbra/css/common,login,zhtml.css?debug=1 query string results.
Thanks.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 12 guests