[Halld-offline] halldweb vulnerabilities
Alexander Austregesilo
aaustreg at jlab.org
Tue Feb 25 17:47:14 EST 2025
Dear colleagues,
Our webserver halldweb is still running on end-of-life RHEL7 and is
therefore vulnerable to attacks. As recent penetration test discovered a
long list of problems which I paste below. You can find more information
in the ticket INC0237676. Please let me know if you feel responsible for
one or more of the items and ideally propose a way forward. We plan to
upgrade the webserver to RHEL9 soon which will fix many issues, but it
would be good to purge applications that are no longer in use before
this switch.
* SQL Injection
https://halldweb.jlab.org/cgi-bin/maintenance/cgi/long_task.pl
Likely a true positive, but the report does not give an example
payload which might be required to dial in on this one.
* Access Control Violation
https://halldweb.jlab.org/tmp/mediawiki-1.17.0/mw-config/index.php
MediaWiki 1.17.0 is from around 2011/2012, and this installation
doesn't appear to have ever been completely setup. Should be safe to
delete?
* Remote Code Execution - Command Injection
https://halldweb.jlab.org/users/davidl/WWWRoot/
Likely true positive. Sample payload would help to identify the
vulnerable code.
* Remote Code Execution - CVE-2018-7600 - Drupal Version
https://halldweb.jlab.org/halld-JDocDB/JDocDB/
Should be able to remediate this one by upgrading the Drupal
version, or removing if this is site is no longer needed.
* Leaked Credentials
https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/edit_task.pl
https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/update.pl
https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/new_task.pl
https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/delete_task.pl
Doesn't seem to be very sensitive data, but these scripts are dated
1998. Safe to delete/remove from external access?
* Default Credentials - admin:admin
https://halldweb.jlab.org/grafana/login
I have confirmed this site can be logged into with the username and
password of admin/admin. If this Grafana instance is still used,
this needs to be updated - but it doesn't look like this is still
being used.
* Path Traversal
https://halldweb.jlab.org/SP/HallD_Racks/Search_in_DRacks.php
https://halldweb.jlab.org/SP/HallD_Racks_orig/Search_in_DRacks.php
Report does not give a sample payload which would help to identify
the affected code.
* Path Traversal
https://halldweb.jlab.org/data_monitoring/js_utilities/CalibrationCrawler.php
Will attempt to retrieve a sample payload for testing.
Thank you for your cooperation,
Alex
--
Alexander Austregesilo
Staff Scientist - Experimental Nuclear Physics
Thomas Jefferson National Accelerator Facility
Newport News, VA
aaustreg at jlab.org
(757) 269-6982
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20250225/beeeaf56/attachment.html>
More information about the Halld-offline
mailing list