Environment
Novell ZENworks Configuration Management 11.2.3
Situation
It was possible to steal or manipulate customer session and cookies,
which might be used to impersonate a legitimate user, allowing the
hacker to view or alter user records, and to perform transactions as
that user .
Resolution
This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at http:////support.microfocus.com/kb/doc.php?id=7012027
Fixed by adding code to regenerate the session id on every login to ZCC
Fixed by adding code to regenerate the session id on every login to ZCC
Cause
Root cause:The session generation was only happening at the ZCC login page and it was not being
regenerated after the the initial login causing a possible window where someone could reuse the logged in session.
Status
Security AlertAdditional Information
assigned CVE-2013-6347