Security Vulnerability - Remote user can delete novell-owned files via HTTP without authentication.

  • 7006421
  • 09-Jul-2010
  • 26-Apr-2012

Environment

Novell Log Manager 1.0
Novell Log Manager 1.1

Situation

A user able to access Novell Log Manager, Novell Sentinel RD, or Novell Identity Audit systems via HTTP can delete files owned by the 'novell' user with underscores in the name using an HTTP request without authentication.

Resolution

This is fixed in Novell Log Manager 1.1 Hotfix 2.  Customers are encouraged to upgrade to this patch as soon as possible.

https://download.novell.com/Download?buildid=AhFWOo7BmdQ~

Status

Security Alert

Additional Information

This vulnerability was reported by TippingPoint, The Zero Day Initiative ZDI
This vulnerability was discovered by: * 1c239c43f521145fa8385d64a9c32243

CVE ID Pending.