Four vulnerabilities in total were discovered in Symantec Data Center Security: Server Advanced (SDCS:SA). Vulnerabilities allow a potential attacker to bypass customer protection policies and gain access to the system and the database.
Τα θέματα ασφάλειας περιλαμβάνουν τη δυνατότητα εισtreatmentς SQL (SQL injection), cross-site scripting (XSS), information disclosure and protection policy bypass.
Stefan Viehbock, security researcher at the SEC Consult Vulnerability Lab, discovered the vulnerabilities and reported them to Symantec at 20 October, 2014.
According to one its publication on Thursday, with the SQL injection, which states as CVE-2014-7289, an attacker could send SQL commands and run because of invalid input invalidation which allows read / write access to any record being available in a database .
During his research, Viehbock managed to add a new privilege admin privileges to SDCS: SA.
Using the XSS glitch (CVE-2014-9224) the investigator stated that an attacker could steal a user's session and gain access to the administrator's interface without permission.
With the third vulnerability (CVE-2014-9225), an attacker could benefit from accessing an unprotected script (https: //: 8081 / webui / admin / environment.jsp) containing internal details about requests to the server , such as file paths on the server and version information (OS, Java).
The fourth vulnerability discovered by Viehbock is listed as CVE-2014-9226 and if exploited can bypass pre-selected security protection policies and bypass SDCS:SA client.
Symantec has already released patches, but only for SCSP products 5.2.9 MP6 and SDCS: SA 6.0 MP1.