CVE-2014-4309

Name of the Vulnerable Software and Affected Versions Openfiler version 2.99

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters, including TinkerAjax to "uptime.html", and remote authenticated users to inject arbitrary web script or HTML via parameters such as MaxInstances, PassivePorts, Port, ServerName, TimeoutLogin, TimeoutNoTransfer, or TimeoutStalled to "admin/services ftp.html". Other vulnerable parameters include dns1 or dns2 to "admin/system.html", and newTgtName to "admin/volumes iscsi targets.html". Additionally, the User-Agent HTTP header is vulnerable in multiple files, including "language.html", "login.html", "password.html" in the "account/" directory, and various files in the "admin/" directory.

Recommendations For Openfiler version 2.99, consider disabling access to the vulnerable parameters and HTTP headers until a patch is available. Restrict access to the affected files, such as "uptime.html", "admin/services ftp.html", "admin/system.html", and "admin/volumes iscsi targets.html", to minimize the risk of exploitation. Avoid using the vulnerable parameters, including TinkerAjax, MaxInstances, PassivePorts, Port, ServerName, TimeoutLogin, TimeoutNoTransfer, TimeoutStalled, dns1, dns2, and newTgtName, in the affected files. As a temporary workaround, limit the use of the User-Agent HTTP header in the vulnerable files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.