CIA Security Research, Security Alerts, Security Tools for Application Security

- Top Vulnerabilities

- Resources

- Alerts

- Disclosure Guidelines

- Library Updates

- Cenzic Newsletter

- White Paper Download

CIA RESEARCH

Alerts

[CIA-1043-Alert] Symantec Sygate Management Server SQL Injection Vulnerability

Summary:

A vulnerability in the Sygate Management Server (SMS) allows a remote attacker to inject SQL command to overwrite the administrator password.

Technical Details:

Symantec's Sygate Management Server versions 4.1 build 1417 and prior are vulnerable to a SQL injection attack that can give an attacker full control of the system. By injecting a SQL statement that overwrites the stored administrator password the attacker can take over the server. This would allow the attacker to disable particular data collection agents, monitor system activity and processes, and potentially propagate malware to systems managed by the SMS device.

SQL Injection attacks work by using submitting native SQL syntax and commands within application parameters, cookies, or query strings. Due to insufficient input validation, the commands are executed on the underlying database with the privileges associated with the web application or server.

Solution:

Upgrade to a fixed version, available at the link below.

http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html

CVE Reference:

CVE-2006-0522

SecurityTracker Number(s):

1015561

About the Cenzic CIA Team:

Cenzic Intelligent Analysis (CIA) is Cenzic's research arm that focuses on continuous research for application vulnerabilities. Industry Research, Vulnerability assessment, penetration testing, and security testing - that's what Cenzic Intelligent Analysis Research is all about. Cenzic has dedicated experts whose sole job is to perform ongoing research to find not only common vulnerabilities but also vulnerabilities found in customer applications and make them available to our customers and to the community at large.

About Cenzic:

Cenzic provides Hailstorm® the revolutionary enterprise software suite for automated application security assessment and compliance that allows corporations and government organizations to dramatically improve the security of commercial and custom applications. Hailstorm enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities, and verify compliance with security policies. Benefits include reduced security risk and liability, lower development and testing costs, and faster time-to-market. Cenzic's customers are currently in the financial services and e-marketplaces sectors. For more information visit www.cenzic.com or call 1-866-4-CENZIC


>	Datasheet: Hailstorm Enterprise ARC
>	Datasheet: Hailstorm Pro
>	Datasheet: Hailstorm Starter
>	Datasheet: Hailstorm Core
>	White Paper: Beyond Simple Vulnerabilities Scanning
>	White Paper: Cross Frame Scripting
>	White Paper: Cenzic Imperative Assessment Plan
>	White Paper: Enabling Security in the Software Development Lifecycle (PDF)