BugTraq
Apache VCL improper input validation May 06 2013 04:32PM
Josh Thompson (jfthomps apache org)
CVE-2013-0267: Apache VCL improper input validation

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache VCL 2.1, 2.2, 2.2.1, 2.3, 2.3.1

Description:
Some parts of VCL did not properly validate input data. This problem was
present both in the Privileges portion of the web GUI and in the XMLRPC API.

A malicious user having a minimal level of administrative rights could
manipulate the data submitted by the web GUI or submit non-standard data to
the API to gain additional administrative rights.

The API functions that are vulnerable were introduced in 2.3.1. Some of those
API functions can also be exploited to perform a DOS attack on the site to
remove access from other users and to perform an XSS attack to gain elevated
privileges.

The vulnerabilities were found by an Apache VCL developer doing a code review.
No know exploits are in the wild at this point.

Fixed Versions:
Apache VCL 2.2.2, 2.3.2

Mitigation:
Apache VCL 2.3 and 2.3.1 users should upgrade to 2.3.2 as soon as possible.
Apache VCL 2.2 and 2.2.1 users should upgrade to 2.2.2 as soon as possible.
Apache VCL 2.1 users should upgrade to 2.2.2 or 2.3.2 as soon as possible.

Apache VCL 2.2.2 and 2.3.2 can be downloaded from
http://vcl.apache.org/downloads/download.cgi

Workarounds:
There are no complete workarounds. However, users must have at least
nodeAdmin, manageGroup, resourceGrant, or userGrant to exploit the
vulnerabilities. Removing that access from anyone that is not fully trusted
will minimized chances of an exploit against your site.

Josh Thompson
Apache VCL release manager-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAABAgAGBQJRh9sVAAoJEEjZ85fn4chZurgP/jWjmFWk1AUxWoiJB4Mv205K
u7ioKF0Np96RKdncpaOPz7IR3BMn9OllntK0hauRBPKkQ4lxV52iutYsRaBgLbDa
HcWy0IUqm5xcsuLjJasC8BJZsqlTs4lWKTuJ7VvvklnAXQW2CKcSIwSifEH4HhUS
XxA969Hxh2PSRf/qKfsLkLs2ZLfVC8M1NtHtjwN/PZqjbst23nsbzqMh6K5O/qp7
J8xN5yqobBK3eE5zfSctH/gXDXnbwI1S4iaI5NtAB4afLfd+HPB0O7RnFfE8CXQd
6AWI3ICCTP/3Zo5djiUXuihN0wUblHg7pL9ci8q4a8fseHxAtBcmUipvi9bPt6aT
/yUOcni13JRmXA0U7AWy/W27CCAAKl1hU9ZsUgFhJKzhq9EkYbqaFNH+m6fvih74
bPsBZHRvWyhIbnWjitRlQrMHOr0MxtNiCSu9z9EgpMBXS16OnfNHW+pGowsBwUlg
bKo8dbVWORgK22ln1LVR7s4lhwh7KS0fNR2zCnA7z9v/mHuYn+yCzCtUi5wrE51h
GYqiRilHH+pVNO4U2rSWgnEgUHT1wlLNleIpwN+82CaH1BOQ+t7D4FK72SufEo+e
AnRnUtHcAQXskMMaSer7zjXAUXvl3q6s/0IGM6KSb2NWjcg3dw5gpyoMgN15UztV
uxwrXk+iR0FtOqbHcEm5
=dKx6
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus