You are here

U-219: Symantec Web Gateway Input Validation Flaws Lets Remote Users Inject SQL Commands, Execute Arbitrary Commands, and Change User Passwords

July 24, 2012 - 7:00am

Addthis

PROBLEM:

Symantec Web Gateway Input Validation Flaws Lets Remote Users Inject SQL Commands, Execute Arbitrary Commands, and Change User Passwords

PLATFORM:

Symantec Web Gateway 5.0.x.x

ABSTRACT:

Several vulnerabilities were reported in Symantec Web Gateway.

REFERENCE LINKS:

Security Advisories Relating to Symantec Products
SecurityTracker Alert ID: 1027289
Bugtraq ID: 54424
Bugtraq ID: 54425
Bugtraq ID: 54426
Bugtraq ID: 54427
Bugtraq ID: 54429
Bugtraq ID: 54430

IMPACT ASSESSMENT:

High

Discussion:

Several vulnerabilities were reported in Symantec Web Gateway. A remote user can execute arbitrary commands on the target system. A remote user can inject SQL commands. A remote user can change a target user's password.
A remote user can send specially crafted data to and execute arbitrary commands on the target system [CVE-2012-2953, CVE-2012-2976].
The software does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database [CVE-2012-2574, CVE-2012-2961].
A remote user can supply a specially crafted request to include and execute files located on the target system [CVE-2012-2957].
A remote user can supply a specially crafted request to change a target user's password [CVE-2012-2977].

Impact:

a remote user can execute arbitrary commands on the target system.
A remote user can execute SQL commands on the underlying database.
A remote user can change a target user's password.

Solution:

The vendor has issued a fix (database update 5.0.0.438 for version 5.0.3.18).
The security update addressing these issues has been pushed to customers as an immediately available update. For customers with automatic updating enabled the update will automatically be applied. Customers that do not have automatic updating enabled will need to manually apply the update by clicking "Check for Updates -> Updates" on the Administration->Updates page for Web Gateway Database Updates and Web Gateway Software Updates.

Addthis