Tivoli Provisioning Manager Express for Software Distribution Multiple SQL Injections
High Nessus Plugin ID 58529
SynopsisThe remote web application is affected by multiple SQL injection vulnerabilities.
DescriptionThe remote web application fails to properly sanitize user-supplied input to the following servlets :
- Printer.getPrinterAgentKey() in the SoapServlet servlet
- User.updateUserValue() in the register.do servlet
- User.isExistingUser() in the logon.do servlet
- Asset.getHWKey() in the CallHomeExec servlet
- Asset.getMimeType() in the getAttachment servlet
An unauthenticated, remote attacker can leverage these issues to manipulate database queries, leading to the disclosure of sensitive information, attacks against the underlying database, and the like.
SolutionThere is no replacement for Tivoli Provisioning Manager Express for Software Distribution. IBM recommends installing Tivoli Endpoint Manager for Lifecycle Management v8.1 or later.