Symantec IM Manager whereClause Parameter SQL Injection (SYM10-010)
Critical Nessus Plugin ID 50433
SynopsisA web application on the remote Windows host is prone to a SQL injection attack.
DescriptionThe version of Symantec IM Manager installed on the remote Windows host fails to sanitize input to the 'whereClause' parameter of the 'rdpageimlogic.aspx' script before using it in the 'LoggedInUsers.lgx' definition file to construct database queries.
An unauthenticated attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information or attacks against the underlying database.
Note that the application is also likely to be affected by several other related SQL injection vulnerabilities, although Nessus has not checked them.
SolutionUpgrade to Symantec IM Manager 8.4.16 or later.