In association with heise online

07 February 2008, 11:20

Vulnerability in Symantec's Backup Exec System Recovery Manager

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A vulnerability in Symantec's Backup Exec System Recovery Manager allows attackers to remotely inject malicious code onto a server and execute it without authentication. The product is an enterprise level centralised backup and recovery system for networked hosts.

Details of the vulnerability, located in the FileUpload class of Symantec's LiveState Apache Tomcat Server, are not provided in the vendor's security advisory. Crafted HTTP POST requests can be used to upload arbitrary JSP scripts and have the server execute them. Versions 7.0 and 7.0.1 are affected. Symantec has fixed the flaw in version 7.0.3.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit