CVE-2010-0112 Information

Description

Multiple SQL injection vulnerabilities in the Administrative Interface in the IIS extension in Symantec IM Manager before 8.4.16 allow remote attackers to execute arbitrary SQL commands via (1) the rdReport parameter to rdpageimlogic.aspx related to the sGetDefinition function in rdServer.dll and SQL statements contained within a certain report file; (2) unspecified parameters in a DetailReportGroup (aka DetailReportGroup.lgx) action to rdpageimlogic.aspx; the (3) selclause (4) whereTrendTimeClause (5) TrendTypeForReport (6) whereProtocolClause or (7) groupClause parameter in a SummaryReportGroup (aka SummaryReportGroup.lgx) action to rdpageimlogic.aspx; the (8) loginTimeStamp (9) dbo (10) dateDiffParam or (11) whereClause parameter in a LoggedInUsers (aka LoggedInUSers.lgx) action to (a) rdpageimlogic.aspx or (b) rdPage.aspx; the (12) selclause (13) whereTrendTimeClause (14) TrendTypeForReport (15) whereProtocolClause or (16) groupClause parameter to rdpageimlogic.aspx; (17) the groupList parameter to IMAdminReportTrendFormRun.asp; or (18) the email parameter to IMAdminScheduleReport.asp.

Reference

http://osvdb.org/68901 http://osvdb.org/68902 http://osvdb.org/68903 http://secunia.com/advisories/41959 http://www.securityfocus.com/bid/44299 http://www.securitytracker.com/id?1024648 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101027_01 http://www.vupen.com/english/advisories/2010/2789 http://www.zerodayinitiative.com/advisories/ZDI-10-220/ http://www.zerodayinitiative.com/advisories/ZDI-10-221/ http://www.zerodayinitiative.com/advisories/ZDI-10-222/ http://www.zerodayinitiative.com/advisories/ZDI-10-223/ http://www.zerodayinitiative.com/advisories/ZDI-10-224/ http://www.zerodayinitiative.com/advisories/ZDI-10-225/ http://www.zerodayinitiative.com/advisories/ZDI-10-226/ https://exchange.xforce.ibmcloud.com/vulnerabilities/62806