Mandriva Linux Security Advisory : backuppc (MDVSA-2013:062)

Medium Nessus Plugin ID 66076


The remote Mandriva Linux host is missing a security update.


Updated backuppc packages fix security vulnerabilities :

Cross-site scripting (XSS) vulnerability in in BackupPC 3.1.0, 3.2.1, and possibly other earlier versions allows remote attackers to inject arbitrary web script or HTML via the share parameter in a RestoreFile action to index.cgi (CVE-2011-5081).

Cross-site scripting (XSS) vulnerability in in BackupPC 3.0.0, 3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the num parameter in a view action to index.cgi, related to the log file viewer (CVE-2011-4923).

Also, This update package corrects/improves the definition of variables in, the configuration file of backuppc: the variables SshPath, SmbClientPath, NmbLookupPath, TarClientPath, TopDir. As a result, backuppc should now run with the default values installed by the Mageia package, modifications of should only be required for defining site-specific settings.


Update the affected backuppc package.

Plugin Details

Severity: Medium

ID: 66076

File Name: mandriva_MDVSA-2013-062.nasl

Version: $Revision: 1.4 $

Type: local

Published: 2013/04/20

Modified: 2016/03/14

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:backuppc, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/04/08

Reference Information

CVE: CVE-2011-4923, CVE-2011-5081

BID: 47628, 50406

OSVDB: 72054, 72055

MDVSA: 2013:062

MGASA: 2012-0139