Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[CIRT.DK] - Novell ZENworks Patch Management Server 6.0.0.52 - SQL injection
From: "CIRT.DK Advisory" <advisory () cirt dk>
Date: Thu, 27 Oct 2005 16:24:05 +0200

The Novell ZENworks Patch Management Server 6.0.0.52 is vulnerable to 
SQL injection in the management console.

To being able to exploit this issue the administrator have to 
manually created a none-privileged account as minimum, to allow
exploitation.

Fix:    
Upgrade to ZENworks Patch Management version 6.2.2.181
(or newer hot fix via your PLUS server) found at http://download.novell.com.

Note:   
The 6.0.0.52 CD ISO image was on the Novell download site up until the 2nd
week of September, 2005. 
The ZENworks Patch Management CD ISO image that is currently available at
the download site at the 
time of this document being published
http://download.novell.com/Download?buildid=5_kRStyf9wU~ 

ISO Name:       ZEN_PatchMgmt_Upd6.2.iso Size: 323.8 MB
(339607552) MD5: aeb244ecdf29c83cb8388fae1a6a1919 


A technical description of the vulnerability can be read at: 
http://www.cirt.dk



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [CIRT.DK] - Novell ZENworks Patch Management Server 6.0.0.52 - SQL injection CIRT.DK Advisory (Oct 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]