Secunia

Some vulnerabilities and a weakness have been reported in CA eTrust Security Command Center, which can be exploited by malicious, local users to disclose or manipulate sensitive information, and by malicious people to disclose system information and bypass certain security restrictions.

1) An input validation error in the PIProfile function in the ePPIServlet script can be exploited to disclose the full path to the web server via the quote character.

The weakness has been reported in versions r8, r8 SP1 CR1, r8 SP1 CR2, and 1.0.

2) An error exists in the verification of the temporary file location returned by the "getadhochtml()" function. This can be exploited by a malicious, local user to disclose the content of or delete arbitrary files.

The vulnerability has been reported in versions r8, r8 SP1 CR1, and r8 SP1 CR2.

3) An error caused due to missing authentication in the event alerting system can be exploited to cause false-positive alerts via certain replay attacks.

The vulnerability has been reported in versions r8, r8 SP1 CR1, r8 SP1 CR2, and 1.0.

Solution
1-2) Apply updates.
Further details available in Customer Area

Provided and/or discovered by
The vendor credits Patrick Webster.

Original Advisory
CA:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34616
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34617
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34618

Deep Links
Links available in Customer Area