logo
DATABASE RESOURCES PRICING ABOUT US

Accoria Rock Web Server contains multiple vulnerabilities

Description

### Overview Accoria Web Server contains multiple vulnerabilities that collectively could allow an attacker to execute commands through the administration interface. ### Description The Accoria web server, also known as Rock Web Server, contains several cross-site scripting (XSS) and cross-site request forgery (XSRF) vulnerabilities. Directory traversal and format string vulnerabilities exist as well. The `getenv` sample code contains an XSS vulnerability when viewed by Internet Explorer 6 or other web browsers that do not follow [RFC 2616 Section 7.2.1](<http://tools.ietf.org/html/rfc2616#section-7.2.1>). Generated cookies appear to be weak and predictable, which may allow an attacker to bypass authentication. Further details are available from the [IOActive security advisory](<http://www.ioactive.com/pdfs/AccoriaWebServer.pdf>). --- ### Impact A remote and unauthenticated attacker may be able to execute commands in the context of the web server administrator. --- ### Solution **Apply an update** The vendor recommends all users upgrade to version 1.5.2 or later. --- **Restrict access** Appropriate firewall rules should be set up to limit access to the web server's administration interface to only trusted sources. **XSRF protection** To avoid XSRF attacks, do not click on links from untrusted sources while logged into the administration interface. --- ### Vendor Information 245081 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Accoria Networks __ Affected Updated: June 22, 2010 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information The vendor recommends all users upgrade to version 1.5.2 or later. ### Vendor References * <http://www.accoria.com/> * <http://www.accoria.com/> * [httpd1.5.2-linux-x86-64.tar.gz ](<httpd1.5.2-linux-x86-64.tar.gz >) * <http://www.accoria.com/> * [httpd1.5.2-solaris-x86-64.tar.gz](<httpd1.5.2-solaris-x86-64.tar.gz>) ### CVSS Metrics Group | Score | Vector ---|---|--- Base | | Temporal | | Environmental | | ### References * <http://www.ioactive.com/pdfs/AccoriaWebServer.pdf> * <http://tools.ietf.org/html/rfc2616#section-7.2.1> ### Acknowledgements Thank you to Ilja van Sprundel of IOActive for researching and reporting these vulnerabilities. This document was written by Jared Allar. ### Other Information **CVE IDs:** | [None](<http://web.nvd.nist.gov/vuln/detail/None>) ---|--- **Severity Metric:** | 3.10 **Date Public:** | 2010-05-19 **Date First Published:** | 2010-06-01 **Date Last Updated: ** | 2010-06-22 18:18 UTC **Document Revision: ** | 25