I just have a new installed ASL 3.2 and upgraded to 3.202. When I use nessus to check from inside and results is attached.
Could you Astaro guys tell me how to solve it? thanks in advance!
Vulnerability found on port http-alt (8080/tcp)
The proxy allows the users to perform
CONNECT requests like
CONNECT http://cvs.nessus.org:23
This request give to the person who make it the ability
to have an interactive session.
This problem may allow attackers to go through your
firewall, by connecting to sensitive ports like 23 (telnet)
using your proxy, or it can allow internal users to bypass the firewall
rules and connect to ports they should not be allowed to.
In addition to that, your proxy may be used to perform attacks against
other networks.
Solution: reconfigure your proxy so that it refuses CONNECT requests.
Risk factor : High
Warning found on port http-alt (8080/tcp)
The Sambar webserver is running. It provides a webinterface for sending emails.
You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
See http://www.toppoint.de/~hscholz/sambar for more information.
Solution : Try to disable this module. There might be a patch in the future.
Risk factor : High
This thread was automatically locked due to age.
