RE : Veeam Backup & Replication

duleepa · Post by **duleepa** » Jan 02, 2019 4:32 am this post

Hi

We have run Vulnerbility Assesment in one our customer's Veeam B&R server, after ran VA we found one issue on it. following the issue description which is show in the report. Recommendation said update TYPO3 or delete the "charts.swf" file so I want to clarify if I delete this file is it affected to Veeam portal ?. So appreciate if someone can advice on this.

Issue
-------

ExtJS charts.swf cross site scripting

Description
The ExtJS JavaScript framework that is shipped with TYPO3 also delivers a flash file to show charts. This file is susceptible to
cross site scripting (XSS). This vulnerability can be exploited without any authentication.

Impact
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to
gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also
possible to modify the content of the page presented to the user.

Recommendation
Update to TYPO3 versions 4.5.34, 4.7.19, 6.0.14, 6.1.9 or 6.2.3 that fix the problem described or delete the file
typo3/contrib/extjs/resources/charts.swf as it is not used by TYPO3 at all.

Thanks

Harshana

Post by **Mike Resseler** » Jan 02, 2019 7:27 am this post

Hi Harshana,

What portal are you talking about? Enterprise Manager or Veeam Availability Console? Also, what version and product of Veeam did you test?

Many thanks for letting us know. We will look into this asap

Thanks
Mike

duleepa · Post by **duleepa** » Jan 02, 2019 8:14 am this post

Hi Mike

Thanks a lot for quick response, We have test "Enterprise Manager" & Veeam Backup & Replication v9.5.

Thanks

Harshana

Post by **Mike Resseler** » Jan 02, 2019 8:22 am this post

Hi Harshana,
I will pass this information to our security team for investigation. To be honest, I doubt you can delete that charts.swf file. If it is included, it probably is needed otherwise the charts will fail. But as said, I will pass this information to the correct teams and they will troubleshoot. We take security seriously so give us some time to go through this information.

PS: Is this v9.5 update 3?

duleepa · Post by **duleepa** » Jan 02, 2019 8:57 am this post

Yes, We installed v9.5 update 3.

Thanks

Post by **Mike Resseler** » Jan 02, 2019 9:26 am this post

OK. I will sent the information through and update as soon as we know more.
Again, thanks for letting us know.

duleepa · Post by **duleepa** » Jan 02, 2019 9:58 am this post

Okay, Thanks

Post by **Mike Resseler** » Jan 02, 2019 1:34 pm this post

Hi Harshana,

Our software engineers just informed me that the file is not in use by Enterprise Manager so it can be safely deleted

Brgds,
Mike

duleepa · Post by **duleepa** » Jan 02, 2019 9:04 pm this post

Hi Mike

Thanks for your prompt reply & Thank you very much for your support....

Thanks

Harshana

R&D Forums

RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Re: RE : Veeam Backup & Replication

Who is online