Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.Original topic: Tiflash 8123端口被扫描出 CVE-2009-3960 漏洞
|
username: guoyanliang
[TiDB Usage Environment] Production Environment
[TiDB Version] 5.4.0
[Encountered Issue] Conducting a security scan, CVE-2009-3960 vulnerability was detected, detailed information as follows:
Vulnerability Name: Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) (CVE-2009-3960) [Principle Scan]
Risk Level: Medium
Highly Exploitable: No
CVE Number: CVE-2009-3960
Port (Service): 8123 (http)
Risk Description: The remote host appears to be running an Adobe product that is vulnerable to XML External Entity (XXE) attacks. When using HTTPChannel to transmit data in AMFX format, the installed version of the product fails to prevent the use of external XML entities. A remote, unauthenticated attacker can exploit this vulnerability to read arbitrary files from the remote system.
Adobe has stated that Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services, and ColdFusion are affected by this issue.
Risk Impact: A remote, unauthenticated attacker can exploit this vulnerability to read arbitrary files from the remote system.
Solution: Apply the appropriate patch provided by the vendor.
References:
https://www.adobe.com/support/security/bulletins/apsb10-05.html
https://security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201002-143
Protocol Type: tcp
Risk Evidence:
Sangfor found the following vulnerable HTTPChannel endpoint:
HTTPChannel Endpoint: /flex2gateway/http
Sangfor was able to exploit the issue to retrieve the contents of ‘win.ini’ using the following request:
POST /flex2gateway/http HTTP/1.1
Host: -------:8123
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Content-Type: application/x-amf
Connection: Keep-Alive
Content-Length: 865
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
This produced the following truncated output (limited to 10 lines):
------------------------------ snip ------------------------------
Code: 62, e.displayText() = DB::Exception: Syntax error: failed at […]
[…] HOW [TEMPORARY] TABLES|DATABASES [[NOT] LIKE ‘str’], SHOW, EXISTS or SHOW […]
------------------------------ snip ------------------------------
Vulnerability ID: SF-0006-01897
[Reproduction Path]
[Problem Phenomenon and Impact] Is this information a false positive or a real security vulnerability?
[Attachments]
Please provide the version information of each component, such as cdc/tikv, which can be obtained by executing cdc version/tikv-server --version.
|
username: