Environment
Novell ZENworks Configuration Management 11.2 ZENworks Control Center - ZCC
Situation
Open Redirect vulnerability found with the ZCC login page
Resolution
This is fixed in version 11.2.4 - see KB 7012027 "ZENworks
Configuration Management 11.2.4 - update information and list of fixes"
which can be found at https://support.microfocus.com/kb/doc.php?id=7012027
For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
Change to zcc-framework.jar was made to address the issue. The URLs for the 'fwdToURL' now only allows ZENworks URLs by checking with "/zenworks" as part of the URL. This change will avoid the vulnerability issues by displaying the Page not found exception with the invalid URL passed in.
For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
Change to zcc-framework.jar was made to address the issue. The URLs for the 'fwdToURL' now only allows ZENworks URLs by checking with "/zenworks" as part of the URL. This change will avoid the vulnerability issues by displaying the Page not found exception with the invalid URL passed in.
Status
Security AlertAdditional Information
The Form element fwdToURL which is passing as part of the post method is used
when the session times out and the user clicks a button/link that will postback, there will not be an existing session and thus a login page will be shown. This would allow someone to create a link to a specific page where a special
parameter is checked: "directToPage". If the direct parameter is on the URL, the
login page is shown and then redirected to the request page ID
but the fwdToURL is allowing any url which creates the vulnerability in ZCM.
assigned CVE-2013-1093
assigned CVE-2013-1093