Four vulnerabilities in total were discovered in Symantec Data Center Security: Server & Hosting Advanced (SDCS:SA). Vulnerabilities allow a potential attacker to bypass customer protection policies and gain access to the system and the database.
The issues ασφάλειας περιλαμβάνουν τη δυνατότητα εισαγωγής SQL (SQL injection), cross-site scripting (XSS), αποκάλυψη πληροφοριών και παράκαμψη της πολιτικής προστασίας.
Stefan Viehbock, security researcher at the SEC Consult Vulnerability Lab, discovered the vulnerabilities and reported them to Symantec at 20 October, 2014.
According to one its publication on Thursday, with SQL injection, listed as CVE-2014-7289, an attacker could send commands SQL and execute due to not validating improper inputs which allows read/write access to any record available in a database.
During his research, Viehbock managed to add a new privilege admin privileges to SDCS: SA.
Using the XSS glitch (CVE-2014-9224) the investigator stated that an attacker could steal a user's session and gain access to the administrator's interface without permission.
With the third vulnerability (CVE-2014-9225), an attacker could benefit from accessing an unprotected script (https: //: 8081 / webui / admin / environment.jsp) containing internal details about requests to the server , such as file paths on the server and version information (OS, Java).
The fourth vulnerability discovered by Viehbock is referred to as CVE-2014-9226, and if utilized, it can override pre-selected security policies and bypass SDCS: SA client.
Symantec has already released patches, but only for the productτα SCSP 5.2.9 MP6 και SDCS:SA 6.0 MP1.