Symantec IM Manager Multiple SQL Injection Vulnerabilities and repair

Affected Versions:
Symantec IM Manager 8.4.15
Symantec IM Manager 8.4.13
Symantec IM Manager 8.4.5
Symantec IM Manager 8.4
Symantec IM Manager 8.3

Vulnerability description:
Symantec IM Manager provides authentication support for enterprise IM networks, seamlessly manages enterprise instant messaging, and implements security assurance, logging, and archiving.
Symantec IM Manager has multiple input verification issues. Remote attackers can exploit this vulnerability to launch SQL injection attacks to obtain sensitive information or operate databases.
-Management interfaces in IM Manager have defects. The installed IIS extension homepage needs to be verified, but many pages can be accessed directly. The IMAdminScheduleReport. asp script does not fully filter the email parameter, which can cause SQL injection attacks. IMAdminReportTrendFormRun. asp does not filter the groupList parameter, while the rdpageimlogic. aspx script does not filter selclause, whereTrendTimeClause, TrendTypeForReport, whereProtocolClause, and groupClause.
-Rdpageimlogic. aspx and rdPage. the aspx page has a defect. By setting the rdReport parameter to give the LoggedInUsers value, attackers can force the server to load LoggedInUSers. lgx definition file, which contains multiple SQL injection attacks under the loginTimeStamp, dbo, dateDiffParam, and whereClause parameters.
-Rdpageimlogic. the aspx page has a defect. By setting the rdReport parameter to the SummaryReportGroup value, attackers can force the server to load the SummaryReportGroup. lgx definition file. Multiple SQL injection attacks exist under selclause, whereTrendTimeClause, TrendTypeForReport, whereProtocolClause, and groupClause parameters.
-The rdPageImlogic. aspx page has a defect. By setting the rdReport parameter to the DetailReportGroup value, attackers can force the server to load the DetailReportGroup. lgx definition file. Multiple parameters in this file have multiple SQL injection attacks.
-The IM Manager interface listens to TCP port 80 by default. when the request is parsed, rdpageimlogic. aspx does not validate the rdReport variable. It parses the SQL statement that points this variable to the file. Remote attackers can exploit this vulnerability to inject arbitrary SQL statements to backend databases. <* Reference
Http://www.zerodayinitiative.com/advisories/ZDI-10-220/
Http://www.zerodayinitiative.com/advisories/ZDI-10-221/
Http://www.zerodayinitiative.com/advisories/ZDI-10-222/
Http://www.zerodayinitiative.com/advisories/ZDI-10-223/
Http://www.zerodayinitiative.com/advisories/ZDI-10-224/
Http://www.zerodayinitiative.com/advisories/ZDI-10-225/
Http://www.zerodayinitiative.com/advisories/ZDI-10-226/
*>
Fix:

You can obtain the patch information by referring to the Security announcements provided by the following vendors:
Jsp? Fid = security_advisory & pvid = security_advisory & year = 2010 & suid = 20101027_01 "> http://www.symantec.com/business/security_response/securityupdates/detail.jsp? Fid = security_advisory & pvid = security_advisory & year = 2010 & suid = 20101027_01