Application Exception - [OWASP 2010 A 6] vulnerability found on ZCC page

  • 7012763
  • 02-Jul-2013
  • 16-Jan-2014

Environment

Novell ZENworks Configuration Management 11.2.3

Situation

An attacker might gain administrative control of your web application by using vulnerabilities known to be in the servers or server-side technologies used.

Resolution

This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7012027

How it was fixed: This is handled by removing the trace info which was being displaying earlier and displayed into the ZCC.log file. Instead of trace info displaying the error message in ZCC which will give the info for the zcc.log


Cause

Application Exceptions are vulnerabilities where unexpected inputs can trigger inappropriate exceptions, or error responses disclosing implementation information, such as a stack trace. The SmartAttack sends various unusual inputs and looks for text in responses evidencing poor error handling.

Status

Security Alert

Additional Information

Assigned CVE-2013-6345

It is also be possible to gain remote access to restricted information via exploit of some vulnerability in your application. An Application Exception vulnerability helps the attacker in formulating the correct attack depending on information disclosed in the error message. Such an error message may also disclose information about the deployment of the server, such as the database server used, server-side technology used, etc.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.