Archive for October, 2014

Idera Server Backup Manager (R1Soft) – Session Fixation Vulnerability (R911-0170)

Wednesday, October 29th, 2014

Type: Session Fixation
Location: Remote
Impact: High
Product: Idera Server Backup Manager (R1Soft)
Website: http://www.idera.com
Vulnerable Version: All versions prior to fixed version.
Fixed Version: 5.8.1
CVE:
R911: 0170
Date: 2014-10-29
By: RACK911

Product Description:

Idera Server Backup Manager is an affordable, high-performance, disk-to-disk backup software for Linux and Windows servers. (This software was previously more commonly known as R1Soft Backup.)

Vulnerability Description:

It is possible for a malicious user to clone an authenticated user / admin session which could result in unauthorized access.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that unauthorized access could be obtained.

Vulnerable Version:

This vulnerability is believed to exist in all previous versions.

Fixed Version:

This vulnerability was patched in Idera Server Backup Manager (R1Soft) v5.8.1.

Vendor Contact Timeline:

2014-09-10: Vendor contacted via email.
2014-09-10: Vendor confirms vulnerability.
2014-10-27: Vendor issues update.
2014-10-29: RACK911 issues security advisory.