CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.
While hunting for flaws that he could report to Facebook’s bug bounty program, security consultant Orange Tsai came across a domain called files.fb.com. The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.
An analysis revealed that the Accellion product had been plagued by 7 vulnerabilities, one of which allowed Tsai to upload a web shell to the Facebook server. Facebook said it stopped using the vulnerable software following the incident.
CERT/CC published an advisory on Friday to detail the vulnerabilities found by Tsai in the Accellion File Transfer Appliance. The flaw leveraged by the expert to upload a web shell is a SQL injection (CVE-2016-2351) caused by the improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api”
Another command injection flaw found by Tsai (CVE-2016-2352) is caused by unsafe handling of restricted users utilizing YUM_CLIENT. “This allows a restricted user to execute any command via root permission,” CERT said in its advisory.
Read More:Accellion Patches Flaws Found During Facebook Hack | SecurityWeek.Com
While hunting for flaws that he could report to Facebook’s bug bounty program, security consultant Orange Tsai came across a domain called files.fb.com. The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.
An analysis revealed that the Accellion product had been plagued by 7 vulnerabilities, one of which allowed Tsai to upload a web shell to the Facebook server. Facebook said it stopped using the vulnerable software following the incident.
CERT/CC published an advisory on Friday to detail the vulnerabilities found by Tsai in the Accellion File Transfer Appliance. The flaw leveraged by the expert to upload a web shell is a SQL injection (CVE-2016-2351) caused by the improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api”
Another command injection flaw found by Tsai (CVE-2016-2352) is caused by unsafe handling of restricted users utilizing YUM_CLIENT. “This allows a restricted user to execute any command via root permission,” CERT said in its advisory.
Read More:Accellion Patches Flaws Found During Facebook Hack | SecurityWeek.Com
