From: "CIRT.DK Advisory" <advisory@cirt.dk.>
To: "Bugtraq@Securityfocus. Com" <bugtraq@securityfocus.com.>,
Subject: [CIRT.DK] - Novell ZENworks Patch Management Server 6.0.0.52 - SQL injection
Date: Thu, 27 Oct 2005 16:24:05 +0200
Message-ID: <000101c5db02$16dbac80$0301a8c0@Furion>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-Virus-Scanned: antivirus-gw at tyumen.ru
The Novell ZENworks Patch Management Server 6.0.0.52 is vulnerable to=20
SQL injection in the management console.
To being able to exploit this issue the administrator have to=20
manually created a none-privileged account as minimum, to allow
exploitation.
Fix:=09
Upgrade to ZENworks Patch Management version 6.2.2.181
(or newer hot fix via your PLUS server) found at =
http://download.novell.com.
Note:=09
The 6.0.0.52 CD ISO image was on the Novell download site up until the =
2nd
week of September, 2005.=20
The ZENworks Patch Management CD ISO image that is currently available =
at
the download site at the=20
time of this document being published
http://download.novell.com/Download?buildid=3D5_kRStyf9wU~=20
ISO Name: ZEN_PatchMgmt_Upd6.2.iso Size: 323.8 MB
(339607552) MD5: aeb244ecdf29c83cb8388fae1a6a1919=20
A technical description of the vulnerability can be read at:=20
http://www.cirt.dk
