The specific flaw exists within the discoverFilerBasicInfo.jsft page. An attacker is able to inject SQL through the filerName field in this page, and use that to gain full administrator credentials for Data Manager.
05/02/2014 - ZDI disclosed vulnerability to vendor
-- Vendor Mitigation:
To mitigate this vulnerability, you can stop the Data Manager Service when not in use. To do so, perform the following procedure:
Impact of action: Performing the following procedure should not have a negative impact on your system.
Log in as admin to Data Manager Web Application.
|Andrea Micalizzi (rgod)