Symantec Reporting Server Password Information Disclosure Vulnerability
TITLE: Symantec Reporting Server Password Information Disclosure Vulnerability
CLASS: Design Error
CVE: CVE-2007-3022
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 05 2007 12:00AM
UPDATE: Jun 06 2007 04:40PM
CREDIT: Mikko Korpp is credited with the discovery of this vulnerability.
VULNERABLE:
Symantec Reporting Server 1.0.197.0NOT VULNERABLE:
Symantec Client Security 3.1 .401
Symantec Client Security 3.1 .400
Symantec Client Security 3.1 .396
Symantec Client Security 3.1 .394
Symantec Client Security 3.1
Symantec AntiVirus Corporate Edition 10.1 .401
Symantec AntiVirus Corporate Edition 10.1 .400
Symantec AntiVirus Corporate Edition 10.1 .396
Symantec AntiVirus Corporate Edition 10.1 .394
Symantec AntiVirus Corporate Edition 10.1
Symantec Reporting Server 1.0.224.0
Symantec Client Security 3.1.6.6000
Symantec AntiVirus Corporate Edition 10.1.6.600
Vai alla pagina originale su Security Focus
Discussion
Symantec Reporting Server is prone to an information-disclosure vulnerability.
Successfully exploiting this issue would allow an attacker to obtain sensitive information that will allow the attacker to gain administrative access to the server database.
Exploit
Solution
Solution:
The vendor released an update and an advisory to address this issue. Please see the references for more information.
References
References:
- SYM07-011: Symantec Reporting Server Password Disclosure (Symantec)
- Symantec Client Security Homepage (Symantec)
- Symantec Reporting Server Homepage (Symantec )
- SYM07-011 Symantec Reporting Server password disclosure (Symantec)