mailing list archives
Re: Astaro Security Gateway v8.1 - Input Validation Vulnerability
From: Ferenc Kovacs <tyra3l () gmail com>
Date: Tue, 10 Jan 2012 13:24:27 +0100
On Mon, Jan 9, 2012 at 3:15 PM, Markus Hennig <Markus.Hennig () sophos com>wrote:
Astaro hereby confirms the described vulnerability.
In spite of the text below it is not remote exploitable, but needs a valid
administration account to access the web configuration interface called
if it is an XSS attack, then why would the attacker need an account to
Within WebAdmin a privilege escalation is the worst case scenario which
can happen. The user with higher privileges has to open a preview window of
a XSS manipulated object.
yeah, if the malicious person can bait a logged in user to visit the
prepared url, that would allow the attacker to create an account.
Because every access and all object modifications are logged with
username and IP and because the issue is not remote exploitable we will fix
it within the regular Up2Date schedule with release of version 8.301.
uhm, I don't see why would a proper logging mitigate the fact that the
system is compromised.
but it is a good thing that you are fixing it.
@Tyr43l - http://tyrael.hu
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/