Hello Andrew! First of all, thank you for your concern and for caring about the security of the PackeFence solution. It is in fact a good practice to secure network access but we also need to make sure that the solution we use to secure the network access is itself, secure !
We looked at your report and here are some comments. > YaBB XSS and Administrator Command Execution 14782 unknown > (9000/tcp) Serious > Vulnerable url: > http://....:9000/dashboard/YaBB.pl?board=;action=imsend;to=%22%3E%3Cscript%3Efoo%3C/script% > 3E > > Cart32 GetLatestBuilds XSS 12290 > unknown (9000/tcp) High > Vulnerable url: > http://....:9000/dashboard/cart32.exe/GetLatestBuilds?cart32=%3Cscript%3Efoo%3C/script%3E > > pfile Multiple Cross Site Scripting and SQL Injection Vulnerabilities 103435 > unknown (9000/tcp) High > pfile 1.02 is vulnerable > other versions may also be affected. > > Ultimate PHP Board multiple XSS flaws 19498 > unknown (9000/tcp) High Thoses seems to be “false positives” in the sense that, scanner seems to interpret the open TCP 9000 port as some possible flaws. - YaBB is a bulletin board; - Cart32 is an eCommerce shopping-cart; - pfile is not used; - Ultimate PHP Board is a bulletin board; PacketFence bundles graphite (http://graphite.wikidot.com/) which is configured to run on TCP 9000 but is not targeted by any of the possible mentionned flaws. None of the stated possible attack vectors are running / used by PacketFence and none of theses should be running on the server (except if you use the PacketFence server for other purposes.) > http TRACE XSS attack 11213 > unknown (9000/tcp) High > http TRACE XSS attack 11213 > zeus-admin (9090/tcp) High > http TRACE XSS attack 11213 > ies-lm (1443/tcp) High > http TRACE XSS attack 11213 > realserver (7070/tcp) High We will look at disabling the HTTP TRACE on the different apache VirtualHost. As previously said, thanks for the report and we will continue looking at it to make sure nothing could affect the security of the solution. If you have any concern, don’t hesitate ! Cheers! -dw. — Derek Wuelfrath [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Jul 1, 2016, at 06:38, Torry, Andrew <[email protected]> wrote: > > Hi group, > > I have recently run a 'Full, Deep an non-destructive' scan of our PF 6 server > and was concerned > at a few Serious and High rated vulnerabilities relating to third party > applications used in the PF code. > > Vuln Name VulnID > Service Severity > ----------------------------------------------------------------------------------------------------------------------------------------------------- > YaBB XSS and Administrator Command Execution 14782 unknown > (9000/tcp) Serious > Vulnerable url: > http://....:9000/dashboard/YaBB.pl?board=;action=imsend;to=%22%3E%3Cscript%3Efoo%3C/script% > 3E > > Cart32 GetLatestBuilds XSS 12290 > unknown (9000/tcp) High > Vulnerable url: > http://....:9000/dashboard/cart32.exe/GetLatestBuilds?cart32=%3Cscript%3Efoo%3C/script%3E > > pfile Multiple Cross Site Scripting and SQL Injection Vulnerabilities 103435 > unknown (9000/tcp) High > pfile 1.02 is vulnerable > other versions may also be affected. > > Ultimate PHP Board multiple XSS flaws 19498 > unknown (9000/tcp) High > > http TRACE XSS attack 11213 > unknown (9000/tcp) High > http TRACE XSS attack 11213 > zeus-admin (9090/tcp) High > http TRACE XSS attack 11213 > ies-lm (1443/tcp) High > http TRACE XSS attack 11213 > realserver (7070/tcp) High > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > What is the take on disabling HTTP TRACE on the virtual hosts (Apache says it > is not a problem)? > Also is there a fix for the YaBB, Cart32 and pfile issues? > > We need to sort this out as our entire enterprise will fail it's PCI > compliance testing if any of our servers has > such Serious and/or High 'issues'. > > Thanks > > Andrew > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
