Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Continue the Stand-Alone Admin Console
  •  
Autosoft

Messages: 8
Karma: 0
Send a private message to this user
Like other threads here, I too would like to see the stand alone console continued but for different reasons.

I have had a bug report in for a long time now about how the embedded web server in Connect is susceptible to cross site scripting attacks. Due to this it causes our servers to fail their PCI (credit card) compliance security scans which is a very serious issue. This invalidates our security seals to our clients. To correct this I have had to firewall off Connect's web ports from the outside world so we can maintain our security rating. This completely voids any advantage a web admin console might have.

I would like to see the following implemented:

Because we don't use web mail (never will) or web admin, when I turn these off I want the web ports completely closed and the service shut down. I really don't want to have to firewall off buggy services we do not use, just close the port entirely when it's not needed. Connect's cross site scripting issues exist in the error reporting system so leaving the port open and passing out a 'not authorized' error page only plays into the vulnerability itself. If not in use then just close the ports.

Continue to support the stand alone console. The fact that the console uses its own non-standard communication protocols makes it inherently more secure than a standard HTTP style interface. The web admin is also far behind the old console in usability and working with it really feels like a large step backwards. I appreciate the advantages it will provide for some other customers but with a vulnerable embedded web-server implementation, and in a high security environment where closing every possible port is critical, the web admin concept just becomes a gaping hole for potential issues. Supporting both consoles allows for greater flexibility for your customers, not to mention the fact the web console is still lacking in usability.

[Updated on: Wed, 01 September 2010 17:35]

  •  
Autosoft

Messages: 8
Karma: 0
Send a private message to this user
Can I get an update on this or perhaps the status of the cross site scripting issues?
  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
If you don't need webmail, stop the KMS HTTP and HTTPS service and set them to "Manual".

This will not close port 80 and 443, though. Just stopping a service will never close a port (that's for any service, not just Kerio).

For a high secure server, you should by default close all ports with a firewall and then only open those you really need.

Regarding the WebAdmin I'm also of the opinion that the Console is better. I am not using WebAdmin.

[Updated on: Fri, 10 September 2010 11:17]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Autosoft wrote on Fri, 10 September 2010 05:56
Can I get an update on this or perhaps the status of the cross site scripting issues?


Me too, please. We do have no information about existing XSS issues.
  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
According to

http://secunia.com/advisories/search/?search=kerio

Four Kerio related vulnerabilities have been found in the last two years. All of them have been fixed. So it is not clear which vulnerability you are talking about.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Problem with webmail e postfilter
Next Topic: Kerio on ClearOS
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 20:51:10 CET 2017

Total time taken to generate the page: 0.00496 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.