Hi, not sure if this is an actual issue, so I'm posting it here first, in case someone knows better. We recently ran a vulnerability assessment using nessus against our server running cyrus and it detected the following medium risk XSS issue (the actual report is at the bottom of the email)
9080 is the custom port https is configured to listen on. >From what I understand it seems that someone could craft a special request and enter script code via the headers sent, code that appears in the response and could actually be executed in case a browser is used. The report had multiple example requests, but technically they were all the same, so I'm just attaching the first example request that confirms the issue. Regards, Savvas Karagiannidis Here's the related part of the report: Synopsis The remote web server is affected by a cross-site scripting vulnerability. Description The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. A remote attacker can exploit this issue, via a specially crafted request, to execute arbitrary HTML and script code in a user's browser within the security context of the affected site. See Also https://en.wikipedia.org/wiki/Cross-site_scripting Solution Contact the vendor for a patch or upgrade. Risk Factor Medium CVSS Base Score 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSS Temporal Score 3.7 (CVSS2#E:H/RL:OF/RC:C) References BID 5011 <http://www.securityfocus.com/bid/5011> BID 5305 <http://www.securityfocus.com/bid/5305> BID 7344 <http://www.securityfocus.com/bid/7344> BID 7353 <http://www.securityfocus.com/bid/7353> BID 8037 <http://www.securityfocus.com/bid/8037> BID 14473 <http://www.securityfocus.com/bid/14473> BID 17408 <http://www.securityfocus.com/bid/17408> BID 54344 <http://www.securityfocus.com/bid/54344> CVE CVE-2002-1060 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1060> CVE CVE-2002-1700 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1700> CVE CVE-2003-1543 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1543> CVE CVE-2005-2453 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2453> CVE CVE-2006-1681 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1681> CVE CVE-2012-3382 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3382> XREF CWE:79 <http://cwe.mitre.org/data/definitions/79> Plugin Information Published: 2001/11/30, Modified: 2018/07/06 Plugin Output tcp/9080 ------------------------------ Request #1 ------------------------------ The full request used to detect this flaw was : GET /cgi-bin/llknxx7s.html HTTP/1.1 Host: <script>alert(Host)</script>:9080 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* The output was : HTTP/1.1 404 Not Found Date: Thu, 23 Jan 2020 18:13:22 GMT Connection: close, Upgrade Upgrade: Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 437 [...] Jansson/2.9 Server at <script>alert(Host)</script> Port 9080</address></ [...]
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus