Avaya System Products Shell Command Injection Vulnerabilities

Bugtraq ID:	22854
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 06 2007 12:00AM
Updated:	Mar 08 2007 05:25PM
Credit:	The vendor disclosed these issues.
Vulnerable:	Avaya SES 3.0 Avaya SES 2.0 Avaya S8710 CM 3.1 Avaya S8710 CM 2.0 Avaya S8700 CM 3.1 Avaya S8700 CM 2.0 Avaya S8500 CM 3.1 Avaya S8500 CM 2.0 Avaya S8500 0 Avaya S8300 CM 3.1 Avaya S8300 CM 2.0 Avaya S8300 0
Not Vulnerable:

Avaya System Products Shell Command Injection Vulnerabilities

Avaya System Products are prone to unspecified shell-command-injection vulnerabilities.

Specific Avaya products that contain maintenance web pages may allow authenticated users to issue shell commands through their HTTP interface.

Commands executed through these vulnerabilities could permit an attacker to gain access to a vulnerable system. Commands are executed in the context of the authenticated user.

Avaya System Products Shell Command Injection Vulnerabilities

Attackers can exploit this issue using a browser and conventional shell commands.

Avaya System Products Shell Command Injection Vulnerabilities

Solution:
The vendor has released fixes for these issues. Please see the vendor references for more information.

Avaya System Products Shell Command Injection Vulnerabilities

References:

• Avaya Homepage (Avaya Inc.)
  
• ASA-2007-052 Shell command injection vulnerabilities (Avaya Inc.)