Symantec IM Manager IMAdminLDAPConfig.asp SQL injection

2011-10-31T00:00:00
ID SAINT:0F3687E7B3CE36E77327D457763F8C3F
Type saint
Reporter SAINT Corporation
Modified 2011-10-31T00:00:00

Description

Added: 10/31/2011
CVE: CVE-2011-0553
BID: 49738
OSVDB: 75984

Background

Symantec IM Manager is a solution for managing and securing instant-messaging traffic in an enterprise.

Problem

An SQL injection vulnerability in IMAdminLDAPConfig.asp allows remote, authenticated attackers to execute arbitrary commands on the server.

Resolution

Upgrade to Symantec IM Manager 8.4.18.

References

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00

Limitations

Exploit works on Symantec IM Manager 8.4.16.

An authenticated user must visit the exploit server in a web browser and click on the button in order for the exploit to succeed.

Platforms

Windows