Results 1 to 5 of 5

Thread: Potential Information Disclosure or Privilege Escalation in CGI

  1. #1
    PastorOfMuppets is offline New Member
    Join Date
    Dec 2011
    Posts
    4
    Rep Power
    3

    Default Potential Information Disclosure or Privilege Escalation in CGI

    We have a third-party who scans our network for compliance and they used Nessus to find the following vulnerability. Any idea how to correct this?

    Threat ID: 144134

    THREAT REFERENCE

    Summary:
    Potential Information Disclosure or Privilege Escalation in CGI

    Risk: Critical (4)
    Type: Nessus
    Port: 443
    Protocol: TCP
    Threat ID: 144134

    Information From Target:
    Using the GET HTTP method, Nessus found that :

    + The following resources may be vulnerable to unseen parameters :

    /zimbra/css/common,login,zhtml.css?skin=&v=&debug=1

    -------- output --------
    P,TH,TD,DIV,SELECT,INPUT[type=text],INPUT[type=password],INPUT[typ [...]
    P,TH,TD,DIV,SELECT,INPUT,TEXTAREA,BUTTON{font-family:"Helvetica Ne [...]
    HTML{width:100%;height:100%;}
    -------- vs --------
    /*
    * #define WINDOWS true
    * #define MSIE_5_5_OR_HIGHER true
    ------------------------

    Solution:


    Inspect the reported CGIs and, if necessary, modify them so that
    security is not based on obscurity.

    Details:
    By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.

    This behavior suggests that such a parameter, while unseen, are used by the affected application(s) and may enable an attacker to bypass authentication, read confidential data (like the source of the scripts), modify the behavior of the application(s) or conduct similar attacks to gain privileges.

    Note that this script is experimental and may be prone to false positives.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,480
    Rep Power
    56

    Default

    Quote Originally Posted by PastorOfMuppets View Post
    We have a third-party who scans our network for compliance and they used Nessus to find the following vulnerability.
    Why not start by updating your forum profile with the output of the following command:
    Code:
    zmcontrol -v
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    PastorOfMuppets is offline New Member
    Join Date
    Dec 2011
    Posts
    4
    Rep Power
    3

    Default

    Quote Originally Posted by phoenix View Post
    Why not start by updating your forum profile with the output of the following command:
    Code:
    zmcontrol -v
    Release 7.1.3_GA_3346.RHEL5_64_20110928134520 CentOS5_64 FOSS edition, Patch 7.1.3_P1.

  4. #4
    PastorOfMuppets is offline New Member
    Join Date
    Dec 2011
    Posts
    4
    Rep Power
    3

    Default

    I just contacted the third-party who is scanning us and they said we just need to turn debugging off so the output won't be different. Does anyone know the CLI command? I'm going to try and google it and find out.

    Thanks.

  5. #5
    synaptic is offline Starter Member
    Join Date
    Apr 2012
    Posts
    1
    Rep Power
    3

    Default

    Did you ever find a resolution for this one? I'm also trying to disable it.

    $ zmprov gacf | grep -i debug
    zimbraHttpDebugHandlerEnabled: TRUE

    $ zmprov gs `zmhostname` zimbraHttpDebugHandlerEnabled
    # name mail.domain.com
    zimbraHttpDebugHandlerEnabled: TRUE

    I tried setting both of those to FALSE and restarting but it had no effect on the /zimbra/css/common,login,zhtml.css?debug=1 query string results.

    Thanks.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZCS 6.08 (x64) install fails at ldapinit
    By bastion_63 in forum Installation
    Replies: 0
    Last Post: 10-20-2010, 12:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •