Vulnerability Note VU#245081
Accoria Rock Web Server contains multiple vulnerabilities
Overview
Accoria Web Server contains multiple vulnerabilities that collectively could allow an attacker to execute commands through the administration interface.
Description
The Accoria web server, also known as Rock Web Server, contains several cross-site scripting (XSS) and cross-site request forgery (XSRF) vulnerabilities. Directory traversal and format string vulnerabilities exist as well. The getenv sample code contains an XSS vulnerability when viewed by Internet Explorer 6 or other web browsers that do not follow RFC 2616 Section 7.2.1. Generated cookies appear to be weak and predictable, which may allow an attacker to bypass authentication. Further details are available from the IOActive security advisory. |
Impact
A remote and unauthenticated attacker may be able to execute commands in the context of the web server administrator. |
Solution
Apply an update |
Restrict access
|
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Accoria Networks | Affected | - | 22 Jun 2010 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
Credit
Thank you to Ilja van Sprundel of IOActive for researching and reporting these vulnerabilities.
This document was written by Jared Allar.
Other Information
- CVE IDs: Unknown
- Date Public: 19 May 2010
- Date First Published: 01 Jun 2010
- Date Last Updated: 22 Jun 2010
- Severity Metric: 3.10
- Document Revision: 24
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.