This article is more than 1 year old
Backup software that cracks web servers? Yup. It's a thing
Crooked cookies can cook Commvault and allow arbitrary OS command execution
Updated Commvault's Edge Server offers users the chance to view and access their backups from mobile devices, a trick it enables in part by using a web server.
But version 10 R2 of that server has a problem: it “deserializes untrusted, user-provided cookie data, resulting in arbitrary OS command execution with the web server's privileges.”
This isn't going to happen by accident: the CERT notice of the problem says a “A remote, unauthenticated attacker can provide specially crafted cookie data” to corrupt the web server.
But there's no fix as yet and the suggested workaround - “only allow connections from trusted hosts and networks” - is a nonsense because one usage scenario for Edge Server is allowing users of mobile devices to access backups. A stolen mobile device will look just like a trusted host and network, especially in the minutes or hours between a device's disappearance and the loss being reported. Commvault's site is currently silent on the matter. ®
Updated to add
A hotfix is now available to patch the aforementioned security vulnerability.