ZENworks Mobile Management DUSAP.php Vulnerability

This document (7011896) is provided subject to the disclaimer at the end of this document.

Environment

Novell ZENworks Mobile Management 2.7.0
Novell ZENworks Mobile Management 2.6.1

Situation

A vulnerability has been identified with the ZMM.This product installs a php based web interface on IIS. By invoking directly a script called DUSAP.php, it is possible to bypass the authentication mechanism.

Resolution

This fix will be incorporated into future releases

Cause

This is effectively the result of missing validation checks of the language variable.

Status

Security Alert

Additional Information

The fix is a simple check of the value of the language variable against the supported languages. It receives a 'language' variable which later is used to include arbitrary resources from the local filesystem via require_once()

This vulnerability was discovered by: Andrea Micalizzi (aka rgod)
Reported to Novell by ZDI / Tippingpoint

Assinged Identifiers
ZDI-CAN-1764
CVE-2013-1082

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:7011896
Creation Date:13-MAR-13
Modified Date:31-MAY-13
- NovellZENworks Mobile Management

Did this document solve your problem? Provide Feedback

Knowledgebase

My Favorites