Symantec Web Gateway forget.php Blind SQL Injection (SYM11-008)

According to its self-reported version number, the version of Symantec Web Gateway running on the remote host has a SQL injection vulnerability. Input to the 'username' parameter of the 'forget.php' script is not properly sanitized. A remote, unauthenticated attacker could exploit this to...

Symantec Web Gateway管理接口"username" SQL注入漏洞

CVE ID：CVE-2011-0549 Symantec Web Gateway是一款Web安全网关硬件设备。 通过"username"参数传递给管理接口中的forget.php的输入在用于SQL查询之前缺少过滤，攻击者可以通过SQL注入攻击获得敏感信息或操作数据库。 Symantec Web Gateway 4.x 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息：...

ZDI-11-233: Symantec Web Gateway forget.php SQL Injection Vulnerability

ZDI-11-233: Symantec Web Gateway forget.php SQL Injection Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-233 July 7, 2011 -- CVE ID: CVE-2011-0549 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Symantec -- Affected Products: Symantec Web Gateway -- TippingPointTM...

CVE-2011-0549

Concretely, CVE-2011-0549 affects Symantec Web Gateway 4.5.x, where the forget.php management interface passes the username parameter unfiltered, enabling remote SQL injection. The vulnerability allows an unauthenticated attacker to manipulate the backend database; CVSSv2 is 7.5 (HIGH). Vendor ad...

Symantec Web Gateway Blind SQL Injection

SUMMARY Symantecs Web Gateway management GUI is susceptible to blind SQL injection which could result in the injection of arbitrary code into the backend database. AFFECTED PRODUCTS Product | Version | Solution ---|---|--- Symantec Web Gateway | 4.5.x | Upgrade to Symantec Web Gateway 5.0.1 ISSUE...