Potential Information Disclosure or Privilege Escalation in CGI

[PastorOfMuppets]

We have a third-party who scans our network for compliance and they used Nessus to find the following vulnerability. Any idea how to correct this?

Threat ID: 144134

THREAT REFERENCE

Summary:
Potential Information Disclosure or Privilege Escalation in CGI

Risk: Critical (4)
Type: Nessus
Port: 443
Protocol: TCP
Threat ID: 144134

Information From Target:
Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to unseen parameters :

/zimbra/css/common,login,zhtml.css?skin=&v=&debug=1

-------- output --------
P,TH,TD,DIV,SELECT,INPUT[type=text],INPUT[type=password],INPUT[typ [...]
P,TH,TD,DIV,SELECT,INPUT,TEXTAREA,BUTTON{font-family:"Helvetica Ne [...]
HTML{width:100%;height:100%;}
-------- vs --------
/*
* #define WINDOWS true
* #define MSIE_5_5_OR_HIGHER true
------------------------

Solution:


Inspect the reported CGIs and, if necessary, modify them so that
security is not based on obscurity.

Details:
By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.

This behavior suggests that such a parameter, while unseen, are used by the affected application(s) and may enable an attacker to bypass authentication, read confidential data (like the source of the scripts), modify the behavior of the application(s) or conduct similar attacks to gain privileges.

Note that this script is experimental and may be prone to false positives.

[phoenix]

Quote:

Originally Posted by PastorOfMuppets

We have a third-party who scans our network for compliance and they used Nessus to find the following vulnerability.

Why not start by updating your forum profile with the output of the following command:

Code:

zmcontrol -v

[PastorOfMuppets]

Quote:

Originally Posted by phoenix

Why not start by updating your forum profile with the output of the following command:

Code:

zmcontrol -v

Release 7.1.3_GA_3346.RHEL5_64_20110928134520 CentOS5_64 FOSS edition, Patch 7.1.3_P1.

[PastorOfMuppets]

I just contacted the third-party who is scanning us and they said we just need to turn debugging off so the output won't be different. Does anyone know the CLI command? I'm going to try and google it and find out.

Thanks.

[synaptic]

Did you ever find a resolution for this one? I'm also trying to disable it.

$ zmprov gacf | grep -i debug
zimbraHttpDebugHandlerEnabled: TRUE

$ zmprov gs `zmhostname` zimbraHttpDebugHandlerEnabled
# name mail.domain.com
zimbraHttpDebugHandlerEnabled: TRUE

I tried setting both of those to FALSE and restarting but it had no effect on the /zimbra/css/common,login,zhtml.css?debug=1 query string results.

Thanks.