Environment
Novell eDirectory 8.8 for All Platforms
Situation
This module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.
http://www.metasploit.com/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie
http://www.metasploit.com/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie
Resolution
This issue has been fixed in eDirectory 8.8.5.4
Apply the eDirectory 8.8.5.4 or the lastest version available at https://dl.netiq.com
Apply the eDirectory 8.8.5.4 or the lastest version available at https://dl.netiq.com
Status
Reported to EngineeringSecurity Alert
Additional Information
Reported by Secunia as SA38808 http://secunia.com/advisories/38808/