STE WILLIAMS

Commvault’s Edge Server offers users the chance to view and access their backups from mobile devices, a trick it enables in part by using a web server.

But version 10 R2 of that server has a problem: it “deserializes untrusted, user-provided cookie data, resulting in arbitrary OS command execution with the web server’s privileges.”

This isn’t going to happen by accident: the CERT notice of the problem says a “A remote, unauthenticated attacker can provide specially crafted cookie data” to corrupt the web server.

But there’s no fix as yet and the suggested workaround – “only allow connections from trusted hosts and networks” – is a nonsense because one usage scenario for Edge Server is allowing users of mobile devices to access backups. A stolen mobile device will look just like a trusted host and network, especially in the minutes or hours between a device’s disappearance and the loss being reported. Commvault’s site is currently silent on the matter. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/backup_software_that_cracks_web_servers_yup_its_a_thing/