Re: Another ZEUS Server web admin XSS!

security_at_zeus.com
Date: 05/30/03

  • Next message: Holger Zimmermann: "Re: Pi3Web 2.0.1 DoS"
    Date: 30 May 2003 15:06:56 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20030529174830.9975.qmail@www.securityfocus.com>

    Zeus Technology, 30th May 2003.
    "Another ZEUS Server web admin XSS!" vendor response

    On May 29th 2003, a cross-site-scripting attack against
    the Zeus
    Administration Server was reported on bugtraq (incident
    "Another ZEUS
    Server web admin XSS!").

    Zeus Technology has investigated this report and
    confirm that a cross-
    site-scripting exploit is possible under very limited
    conditions. This
    vulnerability is present in Zeus Web Server version
    4.2r2 and earlier.
    Zeus have product patches which will be available
    shortly through Zeus's
    support channel (support@zeus.com).

    These patches will be included in the next revision of
    Zeus Web Server
    (4.2r3) when it is released.

    Zeus Technology continue to advise that the
    Administration Server is
    shut down when not in use as a matter of routine.

    Zeus Technology work closely with customers,
    evaluators, security
    professionals and other researchers to ensure its
    products are secure
    and free from defects. Any security-related comments
    received at
    security@zeus.com, or through any other means are
    treated with the
    utmost attention. Zeus Technology regret that the
    researcher published
    details of the exploit before contacting Zeus and
    allowing Zeus to
    prepare and distribute a fix.

    --
    security@zeus.com                                   
    Zeus Technology Ltd
    Security Response Team                      
    Universally Serving the Net
    Tel:+44(0)1223 525000  Fax:+44(0)1223 525100       
    http://www.zeus.com/
    Zeus House, Cowley Road, Cambridge, CB4 0ZT, ENGLAND
    

  • Next message: Holger Zimmermann: "Re: Pi3Web 2.0.1 DoS"

    Relevant Pages

    • Re: DCDIAG error
      ... The RPC server is unavailable.. ... ZEUS is the Schema Owner, but is not responding to DS RPC ... Running partition tests on: ForestDnsZones ... Starting test: CrossRefValidation ...
      (microsoft.public.windows.server.active_directory)
    • Re: Zeus Admin Server v4.1r2 index.fcgi XSS bug
      ... Zeus Admin Server v4.1r2 index.fcgi XSS bug ... Administration Server was reported on bugtraq (incident "Zeus Admin ... Zeus Technology has investigated this report and confirm that a harmless ...
      (Bugtraq)
    • Re: SSH issue
      ... my server zeus.home.elysium-os.nl is known on the internet as pki.elysium-os.nl ... I do not get a ticket for zeus. ... If there is something wrong on hephaestus whay does ssh to hades work?? ...
      (comp.protocols.kerberos)
    • Re: how much traffic can one linux box handle?
      ... Processor- Single AMD Athlon XP 2800+ - 2.083 GHz ... Hard Drive 1 -120GB EIDE ... Most server PHP/MySql content. ... In the sad old days when we had a 256k pipe one SPARC running Zeus, could saturate it easily.we had about 50 web servers on that one...OK Zeus is infinitely more efficient than apache..but the actual CPU usage is not huge..its more memory and bandwidth on the Network that you need to run multiple concurrent instances of the server for each connection..than processing power. ...
      (comp.os.linux.misc)