Open Redirect Vulnerability found on the ZCC login page
This document (7012499) is provided subject to the disclaimer at the end of this document.
For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
Change to zcc-framework.jar was made to address the issue. The URLs for the 'fwdToURL' now only allows ZENworks URLs by checking with "/zenworks" as part of the URL. This change will avoid the vulnerability issues by displaying the Page not found exception with the invalid URL passed in.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7012499
- Creation Date:28-MAY-13
- Modified Date:16-JAN-14
- NovellZENworks Configuration Management
Did this document solve your problem? Provide Feedback