Re: KF Web Server 3.1.0 admin console XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: KF Web Server 3.1.0 admin console XSS
From: support@xxxxxxxxxxxx
Date: 26 Jun 2007 13:26:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Thank you Shay for finding this issue and taking the time to test our product.

We consider this issue to be of minor severity as it does not affect web sites 
hosted by the web server.

The problem is not in the web server itself but in the admin script hosted by 
the server. In order to access this script the attacker would need to be logged 
onto the server locally and have the admin password. With that level of access 
they would already have complete control of the web server configuration, in 
effect root access, so there would be no need to use this technique.

We do take this issue and all security issues seriously and have issued a patch 
which can be downloaded from our web site.

http://www.keyfocus.net/kfws/download/

Prev by Date: SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products
Next by Date: rPSA-2007-0133-1 emacs emacs-leim
Previous by thread: KF Web Server 3.1.0 admin console XSS
Next by thread: Ingres verifydb local stack overflow
Index(es):
- Date
- Thread