Hi,
not sure if this is an actual issue, so I'm posting it here first, in case someone knows better.
We recently ran a vulnerability assessment using nessus against our server running cyrus and it detected the following medium risk XSS issue (the actual report is at the bottom of the email)
9080 is the custom port https is configured to listen on.
From what I understand it seems that someone could craft a special request and enter script code via the headers sent, code that appears in the response and could actually be executed in case a browser is used.
The report had multiple example requests, but technically they were all the same, so I'm just attaching the first example request that confirms the issue.
Regards,
Savvas Karagiannidis
Here's the related part of the report:
Synopsis
The remote web server is affected by a cross-site scripting vulnerability.
Description
The remote host is
running a web server that fails to adequately sanitize request strings
of malicious _javascript_. A remote attacker can exploit this issue, via a
specially crafted request, to execute arbitrary HTML and script code in
a user's browser within the security context of the affected site.
See Also
Solution
Contact the vendor for a patch or upgrade.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#E:H/RL:OF/RC:C)
References
| BID | 5011 |
| BID | 5305 |
| BID | 7344 |
| BID | 7353 |
| BID | 8037 |
| BID | 14473 |
| BID | 17408 |
| BID | 54344 |
| CVE | CVE-2002-1060 |
| CVE | CVE-2002-1700 |
| CVE | CVE-2003-1543 |
| CVE | CVE-2005-2453 |
| CVE | CVE-2006-1681 |
| CVE | CVE-2012-3382 |
| XREF | CWE:79 |
Plugin Information
Published: 2001/11/30, Modified: 2018/07/06
Plugin Output
tcp/9080
------------------------------ Request #1 ------------------------------
The full request used to detect this flaw was :
GET /cgi-bin/llknxx7s.html HTTP/1.1
Host: <script>alert(Host)</script>:9080
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
The output was :
HTTP/1.1 404 Not Found
Date: Thu, 23 Jan 2020 18:13:22 GMT
Connection: close, Upgrade
Upgrade:
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 437
[...] Jansson/2.9 Server at <script>alert(Host)</script> Port 9080</address></ [...]
The full request used to detect this flaw was :
GET /cgi-bin/llknxx7s.html HTTP/1.1
Host: <script>alert(Host)</script>:9080
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
The output was :
HTTP/1.1 404 Not Found
Date: Thu, 23 Jan 2020 18:13:22 GMT
Connection: close, Upgrade
Upgrade:
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 437
[...] Jansson/2.9 Server at <script>alert(Host)</script> Port 9080</address></ [...]
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
