BackupPC 'ClientNameAlias' Function Security Bypass Vulnerability Network Vulnerability

Summary

This host has BackupPC intallation and is prone to security bypass vulnerability.

Impact

Successful attacks may allow remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore on the victim's system. Impact Level: System

Solution

Update to version 3.1.0-7 or later, For updates refer to http://backuppc.sourceforge.net

Insight

The security issue is due to the application allowing users to set the 'ClientNameAlias' option for configured hosts. This can be exploited to backup arbitrary directories from client systems for which Rsync over SSH is configured as a transfer method.

Affected

BackupPC version 3.1.0 and prior.

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542218
http://osvdb.org/57236
http://secunia.com/advisories/36393

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3369

CVSS	Base Score: 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C

Related Vulnerabilities

Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)
Adobe Acrobat and Reader PDF Handling Multiple Vulnerabilities (Windows)
Adobe Acrobat and Reader PDF Handling Code Execution Vulnerability (Mac OS X)
Adobe Air Multiple Vulnerabilities - October 12 (Mac OS X)
Adobe Flash Player Arbitrary Code Execution Vulnerability - 01 Feb14 (Mac OX S)

Take action and discover your vulnerabilities