PacketFence Closes XSS Hole

Monday, February 27, 2012 @ 02:02 PM gHale


Open source security provider, PacketFence, published version 3.2.0 of its network access control (NAC) system.

The release adds support for Ruckus Wireless Controllers, integrates the OpenVAS vulnerability assessment system for client-side policy compliance and adds a billing engine that enables the use of a payment gateway for gaining network access.

RELATED STORIES
Patched Flaw; Unpatched System Brings Attacks
Survey: Enterprise Unprepared for Security
IT Vendors Slower to Patch
Google Looks at HTTPS Security
Patched Adobe Still has Victims

PacketFence allows organizations to increase control over their network by enforcing authentication and registration for newly connected devices. It also enables abnormal network activity detection and the isolation of troublesome devices. Administration of the system comes via a command line or web-based management system and can integrate with LDAP or ActiveDirectory service, Snort IDS and the Nesus vulnerability scanner.

The new version avoids redundant operations at startup. Performance of FreeRADIUS, an open source RADIUS server, improved by two times by avoiding superfluous queries. The developers also note that bandwidth violations tracked by the system are now based on RADIUS accounting information; support for tracking node bandwidth usage added in version 3.0.

Other changes include the addition of new trigger types, the refactoring of code and tests, more aggressive exception-based configuration error handling and fixes for 18 bugs. The update also addresses a “high” priority vulnerability in the Web Admin printing system (printer.php) an attacker could exploit to conduct cross-site scripting (XSS) attacks.

PacketFence 3.2.0 is available to download as source and as RPMs for versions 5 and 6 of Red Hat Enterprise Linux (RHEL) and CentOS.



Leave a Reply

You must be logged in to post a comment.