Legacy Cumulus 1 release 1.9.4 (build 1099) - 28 November 2014
(a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)
Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki
Topics about the Beta trials up to Build 3043, the last build by Cumulus's founder Steve Loft. It was by this time way out of Beta but Steve wanted to keep it that way until he made a decision on his and Cumulus's future.
I've just had a PCI Compliance report back on our internal network. We're using Cumulus MX for some development work. They've failed the system running Cumulus as it is vulnerable to XSS. Obviously as this is a big security issue (potentially unknown) I'd expect someone would want to look at it ASAP! I enclose the report below:
10618137 Web server Multiple Cross-Site Scripting Vulnerabilities Detected 8080 / tcp CVE: 6.4 No medium
+ Show More Host: 92.27.234.117 ?Explain
CVSS base score: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Temporal Score: 5.3 E:F/RL:O/RC:C
Severity: 3
QID: 86175
Category: Web server
CVE ID:
Vendor Reference:
Bugtraq ID:
Date updated: 23/07/2015 04:31
Threat:
Your Web server/application does not filter script embedding from links displayed on a server's Web site.
A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded script is executed in the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated from another site entirely).
Note: Each report line represents a unique cross-site scripting on that page.
Impact:
By exploiting this vulnerability, malicious scripts can be executed in the client's browser.
Solution:
Any Web application on the server may be affected by this vulnerability. To prevent cross-site scripting attacks from occurring, web developers should use static pages whenever possible and sanitize input / output.
The following vendors provided a patches at the web server level. See below for a list of patches for some specific Web servers. If this information does not apply to your Web server, contact your Web server vendor. If your web server does not support filtering please have your web developers resolve this issue at the application level.
This issue is fixed in Sun ONE / iPlanet Web Server 4.1 Service Pack 12 and above. The latest service pack is available for download from Sun ONE Web Server Enterprise Edition 4.1 Service Pack 13.
For Microsoft IIS 4/5/5.1, apply the cumulative patch described in Microsoft Security Bulletin MS02-018. No additional service packs are planned for Windows NT 4.0. IIS 5.0 fixes will be included in Windows 2000 Service Pack 3. IIS 5.1 fixes will be included in Windows XP Service Pack 1.
For IBM Websphere, please refer to websphere-faultactor-xss (30055).
For Web Applications: If your Web application is vulnerable, please check with the web application vendor for further details.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Web Server (Sun ONE / iPlanet Web Server 4.1 Service Pack 12)
Cumulus MX is not a general purpose web server. It is an application which happens to provide its data by responding to certain specific http calls. It is not intended to be used to respond to http requests over the Internet. It is not intended to be used in a commercial environment.
None of what you have posted means anything to me and it is not clear to me how it is relevant to Cumulus MX, particularly given the paragraph above. If you can explain to me exactly what security issue (real, rather than perceived) running Cumulus MX presents to the intended user base, then I would be happy to investigate. You have of course made absolutely certain that this supposed issue does pertain to Cumulus before posting here?
This issue would be with patching IIS or Apache/NGINX or whatever you Web server software is.
by the looks of it its an old vulnerability. If your business cares about security put a UTM in front of your servers, enable IPS and hackers will be dropped. I get about 5-10 hack attempts (known to Sophos utm) on my Webserver a day, it just drops all packets to that ip.
you may be right, that there is a XSS Vulnerabillity in the build in Webserver but I am not sure if you noticed, that CumulusMX Webserver is not protected by a password at all. The Webserver used in CumulusMX is the "configuration interface" and based on the fact that it is not password protected, it should never be installed installed on a server which ias directly accessable from the internet.
Of course, when installed in the intranet only, it is still vulnerable but this is not so critical.
If you like to have the "Management Interface" reachable from the internet, you should use htpasswd to login. And without having the username/password login credencials, I think the XSS Vulnerabillity would not apply ?
jank wrote:If you like to have the "Management Interface" reachable from the internet, you should use htpasswd to login. And without having the username/password login credencials, I think the XSS Vulnerabillity would not apply ?
But this assumes that this supposed vulnerability does actually apply to Cumulus and it is actually a real issue. As far as I can tell, this has yet to be demonstrated. Can we please not discuss solutions to a problem that may not exist? The original post has probably scared off some people from using MX already.
The original report above is on port 8080, a common web server port - is it definitely Cumulus connected to that port, Cumulus would normally be running on port 8998?
Could it be there is another web server at that IP address?
On a cursory test I could not invoke an XSS exploit in Cumulus using GET or POST.
Tell me what is Cumulus running on? what OS and Hardware? you need to patch your OS/Webserver. or protect the webpages with .htacess (linux) not sure of the IIS protection but there should be some way of password protecting the pages/access with password/ip whitelist.
