McAfee ePolicy Orchestrator 4.6.5 SQL injection & directory traversal

2013.06.22

Credit: Jerome Nokin

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

If you heard about the following vulnerabilities in McAfee ePolicy Orchestrator version 4.6.5 and earlier:

    CVE-2013-0140 &#8211; Pre-authenticated SQL injection
    CVE-2013-0141 &#8211; Pre-authenticated directory path traversal

and your environment haven't been updated yet, then you should consider watching this video&#8230;

Main Features:

    Remote command execution on the ePo server.
    Remote command execution on the Managed stations (one ring to rule them all).
    File upload on the ePo server.
    Active Directory credentials stealing.

References:

http://www.youtube.com/watch?feature=player_embedded&v=ap2PSZMOTbI

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

McAfee ePolicy Orchestrator 4.6.5 SQL injection & directory traversal

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.