Environment
Novell ZENworks Mobile Management 2.7.0
Novell ZENworks Mobile Management 2.6.1
Novell ZENworks Mobile Management 2.6.1
Situation
A vulnerability has been identified with the ZMM.This product installs a php based web interface on IIS. By invoking directly a script called MDM.php, it is possible to bypass the authentication mechanism.
Resolution
This fix will be incorporated into future releases.
Cause
This is effectively the result of missing validation checks of the language variable.
Status
Security AlertAdditional Information
The fix is a simple check of the value of the language variable against the supported languages. It receives a 'language' variable which later is used to include arbitrary resources from the local filesystem via require_once()
This vulnerability was discovered by: Andrea Micalizzi (aka rgod)
Reported to Novell by ZDI / Tippingpoint
Assinged Identifiers
CVE-2013-1081
ZDI-CAN-1763
Disclaimer
This vulnerability was discovered by: Andrea Micalizzi (aka rgod)
Reported to Novell by ZDI / Tippingpoint
Assinged Identifiers
CVE-2013-1081
ZDI-CAN-1763
Disclaimer