[PacketFence-users] OpenVAS scanning results of our PacketFence server

Torry, Andrew Fri, 01 Jul 2016 03:42:08 -0700

Hi group,

I have recently run a 'Full, Deep an non-destructive' scan of our PF 6 server 
and was concerned
at a few Serious and High rated vulnerabilities relating to third party 
applications used in the PF code.


Vuln Name                                                               VulnID  
Service Severity
-----------------------------------------------------------------------------------------------------------------------------------------------------
YaBB XSS and Administrator Command Execution                    14782   unknown 
(9000/tcp)      Serious  
Vulnerable url:
http://....:9000/dashboard/YaBB.pl?board=;action=imsend;to=%22%3E%3Cscript%3Efoo%3C/script%
3E

Cart32 GetLatestBuilds XSS                                              12290   
unknown (9000/tcp)      High  
Vulnerable url:
http://....:9000/dashboard/cart32.exe/GetLatestBuilds?cart32=%3Cscript%3Efoo%3C/script%3E

pfile Multiple Cross Site Scripting and SQL Injection Vulnerabilities   103435 
unknown (9000/tcp)       High  
pfile 1.02 is vulnerable
other versions may also be affected.

Ultimate PHP Board multiple XSS flaws                                   19498   
unknown (9000/tcp)      High  

http TRACE XSS attack                                                   11213   
unknown (9000/tcp)      High 
http TRACE XSS attack                                                   11213   
zeus-admin (9090/tcp)   High
http TRACE XSS attack                                                   11213   
ies-lm (1443/tcp)       High
http TRACE XSS attack                                                   11213   
realserver (7070/tcp)   High 
-----------------------------------------------------------------------------------------------------------------------------------------------------

What is the take on disabling HTTP TRACE on the virtual hosts (Apache says it 
is not a problem)?
Also is there a fix for the YaBB, Cart32 and pfile issues?

We need to sort this out as our entire enterprise will fail it's PCI compliance 
testing if any of our servers has
such Serious and/or High 'issues'.

Thanks

Andrew

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] OpenVAS scanning results of our PacketFence server

Reply via email to