|
Key
This line was removed.
This word was removed. This word was added.
This line was added.
|
Changes (8)
View Page HistoryThree vulnerabilities are identified in the Hosting Control Panel. Idera thanks [www.rack911.com|http://www.rack911.com/] for bringing these issues to our attention and working closely with us on resolution.
h32. Severity
Idera rates these vulnerabilities Critical.
h32. Risk Assessment
A link following weakness was discovered in the Server Backup Manager Hosting Control Panel Web interface. A control panel user can download files outside of their home directory if they have permission to list the files. If the control panel user’s home directory is on the root filesystem or the Linux kernel version is older than 3.6, this could include the Linux /etc/shadow file.
...
A UNIX symbolic link following weakness was discovered in the Server Backup Agent. A control panel user can use the restore functionality to delete files outside of their home directories. The user is unable to replace files. This issue can lead to a denial of service if the target files are critical system files.
h32. Risk Mitigation
Users must use one of the following options:
1. Immediately upgrade to Server Backup Manager SE 5.4.2 and Server Backup Agent 5.4.2 or later, or
2. Disable all configured Hosting Control Panel instances on your SBM policies. This action prevents a control panel end user from exploiting the vulnerabilities.
2. Disable all configured Hosting Control Panel instances on your SBM policies. This action prevents a control panel end user from exploiting the vulnerabilities.
h3. Vulnerability
* Immediately upgrade to Server Backup Manager SE 5.4.2 and Server Backup Agent 5.4.2 or later
OR
* Disable all configured Hosting Control Panel instances on your SBM policies. This action prevents a control panel end user from exploiting the vulnerabilities.
h2. Vulnerability
* Disable all configured Hosting Control Panel instances on your SBM policies. This action prevents a control panel end user from exploiting the vulnerabilities.
h2. Vulnerability
Affected versions include:
- Server Backup Manager SE 5.4.1 and earlier
- Server Backup Advanced Edition 5.2.2 and earlier
- Server Backup Manager SE 5.4.1 and earlier
- Server Backup Advanced Edition 5.2.2 and earlier
h32. Fix
{note:title=Upgrade Note: Server Backup Advanced users}
...