Configserver Firewall (CSF)


# VER L/R AUTH S REPORTED TYPE DESCRIPTION
01 2.66 L N Y 04/17/2007 shell invocation `file -i` ran as root on user controlled filenames
02 2.67 L N Y 04/18/2007 shell invocation `/bin/tar` ran as root on user controlled filenames
03 2.67 L Y N 04/18/2007 permissions non-root permissions on init script
04 2.67 R N Y unreported shell invocation remote command execution as root (LF_HTACCESS)
05 2.67 R N Y unreported shell invocation remote command execution as root (LF_HTACCESS)
06 2.67 R N Y unreported shell invocation remote command execution as root (LF_MODSEC)
07 2.76 L N Y 06/11/2007 shell invocation insecure perl open() call as root on user controlled filename
08 2.76 R N Y 06/11/2007 design issue remotely block any IP address (pure-ftpd regexp)
09 3.28 R N Y 05/18/2008 design issue remotely block any IP address (smtpauth regexp)
10 3.28 R N Y 05/18/2008 design issue remotely block any IP address (pop3d regexp)
11 3.28 R N Y 05/18/2008 design issue remotely block any IP address (imapd regexp)
12 3.28 R N Y 05/18/2008 design issue remotely block any IP address (modsec v1 regexp)
13 3.28 R N Y 05/18/2008 design issue remotely block any IP address (modsec v2 regexp)
14 3.28 R N Y 05/18/2008 design issue remotely block any IP address (apache 1.x htaccess regexp)
15 3.28 R N Y 05/18/2008 design issue remotely block any IP address (apache 2.x htaccess regexp)
16 3.28 L N Y 05/18/2008 design issue local users can disable LFD, disrupt CSF functionality
17 3.28 R N Y 05/18/2008 design issue remotely DoS any host running CSF
18 5.22 R N Y 05/??/2011 shell invocation remote command execution as root




Trivial very minor issues
Low XSS, info leaks
Medium destructive actions, access others' accounts
High local root (auth required), /root/.accesshash, /etc/shadow access
Less Critical local root (no auth required)
Critical remote root (no auth required)
L/R Local/Remote
Auth Authentication required
S Bug found via source code review