|Check Point Reference:
|| 5 Jul 2006
||15 May 2007
|Protection Provided by:
|Who is Vulnerable?|| Symantec's Sygate Management Server (SMS) version 4.1, build 1417 and earlier|
||A vulnerability was identified in Symantec's Sygate Management Server (SMS). A remote attacker could supply code into a URL which would allow the attacker to overwrite the password for any SMS account. Successful exploitation would allow the attacker to access any SMS console with the account's administrator privileges.
|Update/Patch Avaliable||The vendor has issued a fix.|
|Vulnerability Details||The application does not properly validate user-supplied input. An attacker could inject a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to overwrite the password for any SMS account with administrative rights, potentially allowing an attacker to disable all agents or propagate malware to all managed agents.|