Disabling insecure Javascript emitted by OpenVPN AS

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
dsmith
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 14, 2016 10:34 am

Disabling insecure Javascript emitted by OpenVPN AS

Post by dsmith » Fri Oct 14, 2016 10:52 am

Hi all

We recently had a PCI-DSS penetration test that revealed two showstopping Javascript vulnerabilities in the web interface of OpenVPN which causes us to fail the PCI-DSS security standards. One is an XSS vulnerability, the other is an old insecure version of jQuery. Unfortunately these problems are present in the newest version of OpenVPN AS released for Debian (version 2.1.4).

I thought turning off the web interface on the OpenVPN AS would be enough, but this causes OpenVPN AS to not work at all (even selecting directly "Connect to..." on the client). Which means we are stuck with the web interface, or in other words, we're going to have to uninstall OpenVPN to be able to pass our PCI-DSS testing.

Another alternative would be to get rid of the insecure Javascript until OpenVPN-AS is patched. At least for existing users, I'm pretty sure that OpenVPN Connect would probably continue to work if I just deleted the insecure Javascript where the penetration test found it. However, even searching the entire filesystem and the Debian package doesn't bring the jQuery file that's referenced (https://our-url//js/lib/jquery-1.4.2.min.js) and a recursive grep of the entire contents of the package doesn't bring up the insecure line of Javascript in the login page (the offending insecurity is on line 45 of the page source of the login page).

Where is the Javascript kept in OpenVPN-AS? How can I get rid of it?

tcaetano
OpenVpn Newbie
Posts: 5
Joined: Tue Mar 28, 2017 1:32 pm

Re: Disabling insecure Javascript emitted by OpenVPN AS

Post by tcaetano » Tue Apr 25, 2017 5:43 pm

i have the same problem here.

how did you disable the web interface?? i did it but then i was not able to connect to the vpn, had to roll back.
lets hope they fix this.

Post Reply