Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Multiple Cross-Site Scripting Vulnerability

Created: 21 Aug 2013 | 15 comments

This request is rather different from my previous request and wondered if anyone has any suggestions.

EV 10.0.3 installed on two trusted domains (one production and one in test) environments. Our security team has run some tools to identify Scripting in our environments and they come up with this Vulnerability issue and they have asked me to resolve it and I have no idea where to go and what to change.

The web server and application found on this host (EV server) is vulnerable to multiple XSS attacks due to improper user input sanitization.

The Quate CMS running on port 7215 on EV server is prone to this common vulnerability.

and the recommendation is:

check with the vendor for patch. for workaround configure the web server to return a customised error or redirection page that properly sanitizes requested URL in the response.

 

Operating Systems:

Comments 15 CommentsJump to latest comment

GabeV's picture

Hi,

I did a quick search about 'Quate CMS' and appears to be a Content Manager System (PHP-based content manager). Is this app running in that specific port 7215? If so, I don't think this is a Symantec product (at least not related to EV). If you do not have this product installed, what process is running on this port? Run a netstat -nao, look for 0.0.0.0:7215 and get the PID (last column), then open Task Manager and add the PID column to the Processes tab. Look at the process name and verify if the process is EV related.

I hope this helps.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

EdLacey's picture

Quate CMS has nothing to do with EV

http://www.juniper.net/security/auto/vulnerabilities/vuln30570.html

Don't know how you have ended up with this app running on your EV servers but removing it would seem to be the obvious solution

EVRocks's picture

thank you Guys,

Follwoing Gabev - the PID is belong to query-service.exe description: Velocity Search Service. this is running under EV service account.

In fact there are a few services running: Collection-broker.exe, collection-service-dispatch.exe

search these services I have found this Not sure how to uninstall this:

http://www.symantec.com/business/support/index?page=content&id=TECH172165

since it's part of EV. May be I have installed some kind of troubleshooting tool but somehow I do not have these services in prod environment.

Follwoing Ed - I do not find Quate CMS is a PHP-based content manager installed anywhere in that server.

GabeV's picture

You can't uninstall these services sice they are part of the EV 10 indexing processes. I am wondering if this security tool is seeing that this port is open on the EV server and the tool is **thinking** that the application running should be 'Quate CMS'. If that's the case then you need to confirm with the team that ran this tool if this is the case or not.

I hope this helps.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

EVRocks's picture

thank you GabeV,

I am not following you with your last comment - sorry.

The thing is that I do not have these services running in the EV production server.

GabeV's picture

I think I misunderstood your previous comment. You mentioned that the PID belongs to query-service.exe but then you mentioned that you do not have these services in production environment. Which services were you referring to?

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Pradeep_Papnai's picture

In my little research on internet for this port indicates that in past a this port was used by a known malware. Refer link: http://www.auditmypc.com/tcp-port-7215.asp, then it’s expected that security software will generate alerts when they see this port open.   

And Enterprise vault indexing engine query search port also use 7215, so might be your security tools considering it as Vulnerability issue.

I would suggest to change this port via VAC (open VAC \ Expand servers \ select EV SERVER \Properties \ advanced \ indexing - indexing engine query search port) like screenshot.

Regards

EV-C

 

 

SERVER.jpg
GabeV's picture

Good catch, but I would NOT recommend changing this setting as described in the help file:

Indexing Engine Query Service Port (Computer Properties Indexing setting)

Description

The internal communication port for the Indexing Engine Query Service.

Note:

Do not change this advanced setting unless your technical support provider advises you to do so.

Supported values

  • An integer specifying a port number. The default is 7215.

 

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Pradeep_Papnai's picture

Thanks Gabe for point this out correctly, Yes please contact Tech support to get best advice before you make port changes. As far as I know Velocity webservice only allow VSA to access this port from localhost (127.0.0.1).

EVRocks's picture

thank you Guys,

Gabe - what I was trying to explain is that I have EV installed in two separate environments (forests) ie production and test.

I am only seeing these services running in the test environment NOT in production. So in the live environment  I am not seeing query-service.exe with port 7215, Collection-broker.exe and collection-service-dispatch.exe

So if EV is using these services then who come I end up EV in production with out them and we do not have indexing issue right now but after two month EV migration we did have major indexing issue for the journaling.

 

GabeV's picture

EVRocks,

If I look at my 10.0.4 lab, I can see these processes running:

Capture1_1.JPG

Capture.JPG

If you are running EV 10 on both domains, something is not right because we changed the index engine starting with EV 10.0 base. The only thing I can think of is that you are running EV 9.x in your production environment. If that's the case, then that could explain this situation. Otherwise, go ahead and open a ticket with support so we could review your environment.

I hope this helps.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Pradeep_Papnai's picture

Honestly, we are not sure why this happening only in your test environment, As Gabe suggested, input from support would be good option.  

EVRocks's picture

Guys,

below is the response from Symantec support team. I think our security team will suggest to change the port number.

 

I have researched and found some points regarding the port:-

1.    By default, EV uses port 7215.

2.    However, little research on internet for this port also indicates that in past a this port was used by a known malware. Refer link: http://www.auditmypc.com/tcp-port-7215.asp .  With this, it’s expected that security software will generate alerts when they see this port open.  

3.    But now that we know EV has opened that port, and not the malware as such, in such case the you should ignore this warning (as it’s a false alert).

 4.    Fortunately, EV allows you to change the default port number used in this case.   

The port can be changed from Vault admin console:-

 Open VAC--> Expand to the Indexing EV  server--> Right click on the server and select properties-->select Advanced Tab " Change the "IndexingEngineQueryServicePort" = (any new port number Make sure its not inuse by other software).

Once Done Verify if it is updated using the following SQL query on EnterpriseDirectory Database:- select settingName, settingDescription, settingValueNumeric from view_ExtendedSetting where settingName = 'IndexingEngineQueryServicePort'

Pradeep_Papnai's picture

Thanks for update. You may wish to mark the comment as solution which ever best suite your answer.

TypoProne's picture

If iti s a false positive and has been identified as such... should that not satisify the security team? This has been confirmed to be a process that is running as part of EV and suspected that the security scanning software is seeking open ports as the trigger for a security concern. IF this is still a valid concern despite appearing to be a false positive... wouldnt changing the ports just shuffle the issue to somewhere the utility doenst find it?

 

At the point where it is confirmed to be a false positive... I may go to the secuity scanning software and confirm this is what they are looking at and then ask them to enhance their product.

 

Any security concerns should be logged into a case as dev are the only people who can really address them IMO.

 

If and when your query is satisified... please dont forget to flag the poster who helped you work it out.

 

Thanks in advanced.