|
 |
|
Parallels Power Panel Cross-Site Request Forgeries
|
|
|
|
|
Secunia Advisory:
|
SA29675
|
|
|
Release Date:
|
2008-04-11
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Cross Site Scripting
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| Software: | Parallels Power Panel 4.x
|
|
|
|
|
|
Description:
poplix has reported some vulnerabilities in Parallels VZPP, which can be exploited by malicious people to conduct cross-site request forgery attacks and potentially compromise a vulnerable system.
The vulnerabilities are caused due to the application allowing users to perform certain actions in e.g. the "change password" and "file manager" sections via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change the administrator's password or overwrite arbitrary files by tricking an administrator into opening a malicious web page.
Successful exploitation may lead to a full system compromise.
Solution:
Do not browse other sites while being logged into Parallels Power Panel.
Reportedly, some of the problems are fixed in "version 365.6.swsoft (build: 4.0.0-365.6.swsoft)".
Provided and/or discovered by:
poplix
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
