Security Vulnerability - eDirectory DHOST Predictable Session Cookie

  • 7005467
  • 09-Mar-2010
  • 27-Jan-2014

Environment

Novell eDirectory 8.8 for All Platforms

Situation

This module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.

http://www.metasploit.com/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie

Resolution

This issue has been fixed in eDirectory 8.8.5.4

Apply the eDirectory 8.8.5.4 or the lastest version available at https://dl.netiq.com

Status

Reported to Engineering
Security Alert

Additional Information

Reported by Secunia as SA38808 http://secunia.com/advisories/38808/

Feedback service temporarily unavailable. For content questions or problems, please contact Support.