<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Dear colleagues,</p>
<p>Our webserver halldweb is still running on end-of-life RHEL7 and
is therefore vulnerable to attacks. As recent penetration test
discovered a long list of problems which I paste below. You can
find more information in the ticket INC0237676. Please let me know
if you feel responsible for one or more of the items and ideally
propose a way forward. We plan to upgrade the webserver to RHEL9
soon which will fix many issues, but it would be good to purge
applications that are no longer in use before this switch.<br>
<br>
</p>
<ul>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">SQL Injection<br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/cgi-bin/maintenance/cgi/long_task.pl">https://halldweb.jlab.org/cgi-bin/maintenance/cgi/long_task.pl</a><br>
Likely a true positive, but the report does not give an
example payload which might be required to dial in on this
one.<br>
<br>
</span></span></font></li>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">Access Control
Violation<br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/tmp/mediawiki-1.17.0/mw-config/index.php">https://halldweb.jlab.org/tmp/mediawiki-1.17.0/mw-config/index.php</a><br>
MediaWiki 1.17.0 is from around 2011/2012, and this
installation doesn't appear to have ever been completely
setup. Should be safe to delete?<br>
<br>
</span></span></font></li>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">Remote Code
Execution - Command Injection<br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/users/davidl/WWWRoot/">https://halldweb.jlab.org/users/davidl/WWWRoot/</a><br>
Likely true positive. Sample payload would help to
identify the vulnerable code. <br>
<br>
</span></span></font></li>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">Remote Code
Execution - CVE-2018-7600 - Drupal Version<br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/halld-JDocDB/JDocDB/">https://halldweb.jlab.org/halld-JDocDB/JDocDB/</a><br>
Should be able to remediate this one by upgrading the
Drupal version, or removing if this is site is no longer
needed.<br>
<br>
</span></span></font></li>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">Leaked
Credentials<br>
<a class="moz-txt-link-freetext" href="https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/edit_task.pl">https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/edit_task.pl</a><br>
<a class="moz-txt-link-freetext" href="https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/update.pl">https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/update.pl</a><br>
<a class="moz-txt-link-freetext" href="https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/new_task.pl">https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/new_task.pl</a><br>
<a class="moz-txt-link-freetext" href="https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/delete_task.pl">https://halldsvn.jlab.org/repos/trunk/online/maintenance/cgi/delete_task.pl</a><br>
Doesn't seem to be very sensitive data, but these scripts
are dated 1998. Safe to delete/remove from external
access?<br>
<br>
</span></span></font></li>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">Default
Credentials - admin:admin<br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/grafana/login">https://halldweb.jlab.org/grafana/login</a><br>
I have confirmed this site can be logged into with the
username and password of admin/admin. If this Grafana
instance is still used, this needs to be updated - but it
doesn't look like this is still being used.<br>
<br>
</span></span></font></li>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">Path Traversal<br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/SP/HallD_Racks/Search_in_DRacks.php">https://halldweb.jlab.org/SP/HallD_Racks/Search_in_DRacks.php</a><br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/SP/HallD_Racks_orig/Search_in_DRacks.php">https://halldweb.jlab.org/SP/HallD_Racks_orig/Search_in_DRacks.php</a><br>
Report does not give a sample payload which would help to
identify the affected code.<br>
<br>
</span></span></font></li>
<li><font size="3" color="#000000" face="helvetica"><span colspan="2"><span style="word-wrap:break-word;display:block;">Path Traversal<br>
<a class="moz-txt-link-freetext" href="https://halldweb.jlab.org/data_monitoring/js_utilities/CalibrationCrawler.php">https://halldweb.jlab.org/data_monitoring/js_utilities/CalibrationCrawler.php</a><br>
Will attempt to retrieve a sample payload for testing.</span></span></font></li>
</ul>
<p><font size="3" color="#000000" face="helvetica"><span colspan="2"></span></font></p>
<p><br>
</p>
<p>Thank you for your cooperation,</p>
<p>Alex<br>
</p>
<br>
<pre class="moz-signature" cols="72">--
Alexander Austregesilo
Staff Scientist - Experimental Nuclear Physics
Thomas Jefferson National Accelerator Facility
Newport News, VA
<a class="moz-txt-link-abbreviated" href="mailto:aaustreg@jlab.org">aaustreg@jlab.org</a>
(757) 269-6982
</pre>
</body>
</html>