Symantec reporting server discloses password hash
Symantec refers to a vulnerability in its reporting server product, which under certain circumstances may allow an attacker to obtain the hash for an administrator password. Once in possession of the hash, it is then possible, for example by searching for matches using rainbow tables, to obtain the plaintext password relatively quickly and log on to the system. However, this only enables access to reports on products from Symantec's client security and antivirus product series. Access to other programs running on the same system is not possible by this means.
This problem affects the reporting server, as included in Symantec Client Security 3.1 and SAV CE 10.1. A patch is available, which is already being distributed over the automatic update.
- Symantec Reporting Server Password Disclosure, error report from Symantec
(mba)