CVE-2011-3361 in BackupPC
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in CGI/Browse.pm in BackupPC 3.2.0 and possibly other versions before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a browse action to index.cgi.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/08/2025
The CVE-2011-3361 vulnerability represents a critical cross-site scripting flaw in BackupPC version 3.2.0 and earlier, specifically within the CGI/Browse.pm component. This vulnerability resides in the web-based interface of BackupPC, a widely used open-source backup solution that enables administrators to manage and monitor backup operations across multiple systems. The flaw manifests when the application fails to properly sanitize user input before incorporating it into web responses, creating an avenue for malicious actors to execute arbitrary scripts in the context of other users' browsers.
The technical implementation of this vulnerability occurs through the num parameter within the browse action of index.cgi, which processes user requests to view backup data. When an attacker submits malicious input through this parameter, the application does not adequately filter or escape the data before rendering it in the web page response. This allows attackers to inject HTML code or JavaScript that executes in the victim's browser when they view the affected page. The vulnerability specifically targets the browse functionality, which is commonly used to navigate through backup file structures and access backup content, making it a particularly dangerous flaw given the sensitive nature of backup data.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, data theft, and privilege escalation within the backup management environment. An attacker could potentially steal administrator credentials, access confidential backup data, or even manipulate backup operations to compromise the entire backup infrastructure. Given that BackupPC is often deployed in enterprise environments where it manages critical system backups, the potential for damage is significant. The vulnerability affects not just individual user sessions but could potentially allow attackers to gain unauthorized access to backup repositories containing sensitive organizational data.
The flaw aligns with CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities in software applications, and demonstrates how inadequate input validation and output encoding can create persistent security risks. From an ATT&CK perspective, this vulnerability maps to T1059.007 for Scripting and T1566.001 for Phishing, as attackers could leverage the XSS to deliver malicious payloads or harvest credentials. The vulnerability also relates to T1078.004 for Valid Accounts, as successful exploitation could lead to unauthorized access to backup systems. Organizations utilizing BackupPC should immediately apply the patch released in version 3.2.1, which implements proper input sanitization and output encoding for the affected parameter. Additionally, network segmentation, web application firewalls, and regular security assessments should be implemented to provide defense-in-depth measures against similar vulnerabilities that may exist in other components of the backup infrastructure.