Article ID: 115857, created on Mar 28, 2013, last review on May 10, 2014

  • Applies to:
  • Confixx Professional 3

Symptoms

There is 'write anywhere' vulnerability introduced by Confixx's usage of Apache CustomLog directive. When writing to a log, Confixx uses an HTTP header field 'Host' to construct access log file name. "Host" is formed on client side and can be modified to point to an arbitrary file on local file system.

Resolution

Replace the file /root/confixx/pipelog.pl with the attached one.

Attachments

85ce68e3209531714e8933ec29d267d1 6311ae17c1ee52b36e68aaf4ad066387

Email subscription for changes to this article
Save as PDF