Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Another Security Metrics vulnerability?
  •  
macjimbo

Messages: 103
Karma: 6
Send a private message to this user
According to our latest security scan carried out to enforce payment card industry security rules, we have the following vulnerability:

Title: Web server vulnerability Impact: /webmail/blank.html: IlohaMail 0.8.10 contains an XSS vulnerability. Previous versions contain other non-descript vulnerabilities.

This on port 443, which is the webmail port.

Can anyone shed any light on what might cause this or know what I can do to fix?

Thanks

James
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
You should ask the company which did the scan. This is clearly a false alarm.
  •  
macjimbo

Messages: 103
Karma: 6
Send a private message to this user
unfortunately people are always telling them that the alarms are false, so it has to be proved to be false.

This scan is performed by Security Metrics who are, to be fair, pretty major players in the security scanning industry and are partners with our bank.

Forgive my ignorance, but how can I know (ie prove to them) that this is a false alarm.

Thanks
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I believe they are major players. However, it is very easy to run Nessus scan and then collect money for it.

You don't run IlohaMail and Kerio Connect has nothing to do with this software. If you look at the test itself, it just checks server identification in HTTP response. Nothing more. https://my.controlscan.com/threats/details.cgi?id=114637
Here is the Nessus script: http://static.askapache.com/hacking/nessus-plugins/ilohamail _detect.nasl

You should ask the for detailed logs and debug output from the test. That's what you're paying them for.
  •  
macjimbo

Messages: 103
Karma: 6
Send a private message to this user
thank you that's helpful. I do agree with you but unfortunately Barclays give us no choice, we have to work with SM and if SM don't pass us as secure then we get charged 'non-secure' transaction fees.

Personally I think the whole thing is verging on a scam, every time they re-scan there are a whole bunch of new 'vulnerabilities' which I then have to spend hours checking out. I'm sure they only do it to justify their existence. Some vulnerabilities are real, some are like this one - just lazy testing.

I didn't know what IlohaMail meant, so ok now I understand it's another mail system and got nothing to do with KC.

Cheers

James
  •  
macjimbo

Messages: 103
Karma: 6
Send a private message to this user
OK I have finally heard back from SM and they won't give up. Now they want to know why Kerio is giving a 200 ok response? :


Quote:
Thank you for your email. The vulnerability that is flagging is the result of receiving a 200 ok response from the server for the directory request. This directory and page are associated with IlohaMail 0.8.10. As you have indicated that the application does not exist on the server please explain why the server is responding with a 200ok.

GET /webmail/blank.html HTTP/1.0
Host: eddie.waveneyrivercentre.co.uk

HTTP/1.1 200 OK
Connection: Close
Content-Length: 80
Content-Type: text/html
Date: Mon, 8 Oct 2012 07:58:07 GMT
Last-Modified: Sun, 12 Aug 2012 16:39:01 GMT
Server: Kerio Connect 7.4.3
X-UA-Compatible: IE=edge


Does anyone know the answer to this?

Thanx
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
This is like asking "are you still beating your wife?".
Try firing up https://yourserver/webmail/blank.html" and note that the blank.html is actually there. Looking at the source should provide all the explanation you (or they) need.

If they still don't get it, tell them that a successful GET always returns a "200 OK".
  •  
macjimbo

Messages: 103
Karma: 6
Send a private message to this user
Thank you. I have responded as you suggest.
  •  
macjimbo

Messages: 103
Karma: 6
Send a private message to this user
This guy at SM is unbelievable. He is telling me that the path webmail/blank.html is associated with IlohaMail 0.8.10 and it is up to me to explain why this page exists if I'm not running IlohaMail.

This is patently ridiculous. Checking for vulnerabilities is fair enough, checking for a file named blank.html in a webmail directory doesn't prove anything other than that the file exists. But he can't seem to see this, it's like in his head the file itself is the vulnerability.

Sorry for ranting, nothing you guys can do to help - but it might help someone else with the same issue to know they're not alone!
  •  
freakinvibe

Messages: 1540
Karma: 62
Send a private message to this user
To check for existence of a specific HTML file to determine if an application is installed is complete bullshit. Especially if they are checking for a common file name like "blank.html".

If they would search for "iloha_login.php" I would understand it as this is very unique to the product, but checking for "blank.html" is just plain idiotic.

Especially as the http headers say:

Quote:
Server: Kerio Connect 7.4.3


So they should know which product is installed.

Maybe you should escalate this to a more knowledgeable persion within Security Metrics.

[Updated on: Tue, 09 October 2012 10:38]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
macjimbo

Messages: 103
Karma: 6
Send a private message to this user
I agree. Completely stupid.
Previous Topic: KC 7.4.3 + OSX 10.8.2 problem with https start
Next Topic: 1 account, multiple pc's, multiple custom senders. not working
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Oct 19 07:25:32 CEST 2017

Total time taken to generate the page: 0.00499 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.