Environment
Novell ZENworks Configuration Management 11.2.3
Situation
Cross-site Request Forgery vulnerabilities allow unauthorized requests from a
victim’s machine to improperly initiate
transactions using an existing authenticated session.
Resolution
This is fixed in version 11.2.4 - see KB 7012027 "ZENworks
Configuration Management 11.2.4 - update information and list of fixes"
which can be found at https://support.microfocus.com/kb/doc.php?id=7012027
How it is fixed: Implemented the CSRF token like created a hidden field in the Form. the value of the form hidden element will be the session id which is generated from the secure random id. The token will be set in the Session which will be validate with the Form hidden element..when both are matched , the action would be executed..otherwise navigating to error page. the token generation would be unique for the each request.
How it is fixed: Implemented the CSRF token like created a hidden field in the Form. the value of the form hidden element will be the session id which is generated from the secure random id. The token will be set in the Session which will be validate with the Form hidden element..when both are matched , the action would be executed..otherwise navigating to error page. the token generation would be unique for the each request.
Cause
As the Cross-site Request Forgery vulnerability says that it allows
unauthorized requests from a victim’s machine to improperly initiate
transactions using an existing authenticated session.
this was not handled by the ZCM.
Status
Security AlertAdditional Information
Assigned CVE-2013-6346
This allows an attacker to perform all the legitimate actions which a legitimate user can perform after a log-in. All Web applications which use only HTTP cookies to store session information are vulnerable to CSRF. Such applications expose their users to a typical CSRF attack every time they log in to the application. For example, a banking application which is vulnerable to CSRF may allow an attacker to transfer funds from a victim’s account to his own account. If the victim is using an e-mail application vulnerable to CSRF, the attacker can send malicious e-mails using the victim’s account without her knowledge.
This allows an attacker to perform all the legitimate actions which a legitimate user can perform after a log-in. All Web applications which use only HTTP cookies to store session information are vulnerable to CSRF. Such applications expose their users to a typical CSRF attack every time they log in to the application. For example, a banking application which is vulnerable to CSRF may allow an attacker to transfer funds from a victim’s account to his own account. If the victim is using an e-mail application vulnerable to CSRF, the attacker can send malicious e-mails using the victim’s account without her knowledge.