CVE-2014-7866 : Fix for Remote code execution via file upload vulnerability

CVE-2014-7866 : Fix for Remote code execution via file upload vulnerability

Details of Vulnerability:

Vulnerability: Remote code execution via file upload (unauthenticated 
on OpManager and Social IT) 
CVE-2014-7866 
Constraints: no authentication needed for OpManager and Social IT; 
authenticated in IT360 

a) 
POST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00 
Affected versions: Unknown, at least OpManager v8 build 88XX to 
11.3/11.4; IT360 10.3/10.4; Social IT 11.0 

b) 
POST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00 
Affected versions: Unknown, at least OpManager v8 build 88XX to 
11.3/11.4; IT360 10.3/10.4; Social IT 11.0 
 


Fix:(Compatible for 11300 & 11400 builds)

1)Download the attached patch

2)Extract it under /OpManager

3)Stop and Start OpManager


note: This fix will be implemented in build 11500 release.





      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Servlet Vulnerability Fix

                      This fix is compatible only for build 11300(OpManager and Social IT Plus).  Please follow these steps. 1)Download the attached zip file and extract it under /OpManager 2)Stop and Start OpManager Note: This zip file contains the fix for these ...

                    • PGSQL:SubmitQuery.do vulnerability (CVE-2015-7765, CVE-2015-7766)

                      http://seclists.org/fulldisclosure/2015/Sep/66 Vulnerability Detail: Any account that has access to the web interface with Administrator rights has the possibility to use a web form to execute SQL queries on the backend PostgreSQL instance. By ...

                    • SQL Injection Vulnerability FIx

                      Vulnerability: Blind SQL injection (unauthenticated) Fix: Upgrade to Social IT vXXXX; OpManager vXXXX; IT360 vXXXX Constraints: no authentication needed for OpManager and Social IT; authenticated in IT360 a) POST ...

                    • HTTP Server Prone To Slow Denial Of Service Attack(CVE-2007-6750 CVE-2012-5568)

                      Few third party vulnerability scanning tools has reported that OpManager has this DOS vulnerability CVE-2007-6750 CVE-2012-5568. TOMCAT developers have mentioned that it is not a vulnerability in TOMCAT and they don't have the plans to to fix it. ...

                    • Poodle Vulnerability CVE-2014-3566

                      POODLE, which stands for Padding Oracle on Downloaded Legacy Encryption, makes it possible for hackers to snoop on a user’s web browsing. The problem is an 18-year-old encryption standard, known as SSL v3, which is still used by older browsers like ...

                      Related Products