Detections
Analytics

Debian DSA-2510-1 : extplorer - Cross-site request forgery

medium Nessus Plugin ID 59961

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

John Leitch has discovered a vulnerability in eXtplorer, a very feature rich web server file manager, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request.
This can be exploited for example, to create an administrative user account by tricking an logged administrator to visiting an attacker-defined web link.

Solution

Upgrade the extplorer packages.

For the stable distribution (squeeze), this problem has been fixed in version 2.1.0b6+dfsg.2-1+squeeze1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678737

https://packages.debian.org/source/squeeze/extplorer

https://www.debian.org/security/2012/dsa-2510

Plugin Details

Severity: Medium

ID: 59961

File Name: debian_DSA-2510.nasl

Version: 1.9

Type: local

Agent: unix

Published: 7/13/2012

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:extplorer, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 7/12/2012

Reference Information

CVE: CVE-2012-3362

BID: 54431

DSA: 2510