Software Engineering Institute

The Accoria web server, also known as Rock Web Server, contains several cross-site scripting (XSS) and cross-site request forgery (XSRF) vulnerabilities. Directory traversal and format string vulnerabilities exist as well. The getenv sample code contains an XSS vulnerability when viewed by Internet Explorer 6 or other web browsers that do not follow RFC 2616 Section 7.2.1. Generated cookies appear to be weak and predictable, which may allow an attacker to bypass authentication.

Further details are available from the IOActive security advisory.

A remote and unauthenticated attacker may be able to execute commands in the context of the web server administrator.

Apply an update
The vendor recommends all users upgrade to version 1.5.2 or later.

Restrict access

Appropriate firewall rules should be set up to limit access to the web server's administration interface to only trusted sources.

XSRF protection

To avoid XSRF attacks, do not click on links from untrusted sources while logged into the administration interface.