Article ID: 122542, created on Jul 31, 2014, last review on Oct 10, 2014

  • Applies to:
  • Odin Business Automation Standard 4.5
  • Odin Business Automation Standard 4.3
  • Odin Business Automation Standard 4.1
  • Odin Business Automation Standard 3.3

Symptoms

A Parallels Business Automation - Standard (PBA-S) product security audit revealed a CSRF vulnerability that allows an attacker to target an administrator via a specially prepared web page. The consequences of the attack may include remote code execution and session hijacking of the PBA-S administrator account.

Another vulnerability is the open API on 80 port that allows attackers to perform almost any action by bypassing authorization.

The fix for these vulnerabilities will be included in a future update. However, taking into account the high risk nature of the vulnerabilities, we strongly recommend that PBA-S providers running PBA-S 4.3 and 4.5 install the hotfixes below.

Resolution

Please apply the following hotfixes for both vulnerabilities:


For the CSRF issue:

Download the hotfix installer and run it on a PBA-S node. The installer downloads all necessary patches and installs them.

Installation:

# wget http://download.pa.parallels.com/pbas/4.5/hotfixes/KB122542/installer.sh
# sh installer.sh

Confirm the installation by pressing "y" when prompted. Feel free to contact Technical Support in case of any difficulties with the hotfix installation.

Note: PBA-S services will be restarted automatically after the hotfix has been installed.


For the API issue:

Check and update the PBA-S configuration to deny API access to the server from non-trusted hosts because of this critical security risk:

The configuration file /etc/hspcd/conf/hspc_frontend.conf MUST look like:

<Location /hspc/xml-api>
    Order Deny,Allow
    Deny from all
</Location>

This means the API directory will not be accessible to anyone on the default port (80) - all access must be denied. If you are using a remote PBA-S store or some kind of API customization, use an SSL channel as described in the PBA-S SDK documentation section 4.

Note In order to apply the changes, restart/reload the httpd service:

# service httpd reload

807e9c1dc97aefd951b912a17e50c428 caea8340e2d186a540518d08602aa065 400e18f6ede9f8be5575a475d2d6b0a6 70a5401e8b9354cd1d64d0346f2c4a3e 624ca542e40215e6f1d39170d8e7ec75 93123df14254afe4bfd02eb6096092cd b91f0e51a581aafeed4e0834068081e0 95c731ef6bb58e30865e046f2135d4c1

Email subscription for changes to this article
Save as PDF