Tuesday, December 19, 2017

CVE-2017-17759 Conarc iChannel - Unauthenticated Access/Default Webserver Misconfiguration allows for compromise of server


The customized webserver used by iChannel is based on an outdated and vulnerable version of WestWind Webserver. This page is available, unauthenticated, to a malicious attacker.

By visiting this link, the attacker can access the webserver configuration edit page. This page reveals sensitive information, allows for alteration of the webserver configuration, upload/modification of the server's configuration and can result in a Denial of Service attack by deleting the configuration.

This has been acknowledged by Conarc and they have been notified of the impact.

If your iChannel install is available publicly, this can result in complete compromise of the server, the web application and severe information leakage/DOS.


Conarc has been notified of this issue. Until this issue is patched, the affected installs should be removed from public access. In the case of private deployments, this page should have an ACL applied to prevent unauthenticated access to this page.


  1. This comment has been removed by a blog administrator.

  2. We have already fixed this vulnerability on iChannel by Conarc, can you please update this blog post with that information. Thanks