Test ID:	1.3.6.1.4.1.25623.1.0.803710
Category:	Web application abuses
Title:	DS3 Authentication Server Multiple Vulnerabilities
Summary:	DS3 Authentication Server is prone to multiple vulnerabilities.
Description:	Summary: DS3 Authentication Server is prone to multiple vulnerabilities. Vulnerability Insight: The flaws are due to: - The TestTelnetConnection.jsp does not validate the user input, allowing an attacker to execute arbitrary commands in the server side with the privileges of asadmin user. - TestDRConnection.jsp, shows the file path in the error messages, this is considered a minor information leak. - Without being authenticated, any user is able to manipulate the message of the default error page, helping him to develop social engineering attacks. - ServerAdmin/ErrorViewer.jsp in DS3 Authentication Server allow remote attackers to inject arbitrary error-page text via the message parameter. Vulnerability Impact: Successful exploitation will allow remote attackers to execute arbitrary commands and obtain the sensitive information. Affected Software/OS: DS3 Authentication Server Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2013-4096 http://packetstormsecurity.com/files/121862/DS3-Authentication-Server-Command-Execution.html http://www.digitalsec.net/stuff/explt+advs/DS3.AuthServer.txt Common Vulnerability Exposure (CVE) ID: CVE-2013-4097 Common Vulnerability Exposure (CVE) ID: CVE-2013-4098
Copyright	Copyright (C) 2013 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.