BID:21473

Novell ZENworks Patch Management Downloadreport.ASP SQL Injection Vulnerability

Info

Novell ZENworks Patch Management Downloadreport.ASP SQL Injection Vulnerability

Bugtraq ID:	21473
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 06 2006 12:00AM
Updated:	Dec 07 2006 04:54PM
Credit:	The vendor reported this issue.
Vulnerable:	Novell ZENworks Patch Management 6.2 Novell ZENworks Patch Management 6.0 .52 Novell ZENworks Patch Management 6.2 SR1

Not Vulnerable:	Novell ZENworks Patch Management 6.3.2 700

Discussion

Novell ZENworks Patch Management Downloadreport.ASP SQL Injection Vulnerability

Novell ZENworks Patch Management is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Novell ZENworks Patch Management versions prior to 6.3.2.700 are affected by this issue.

Exploit / POC

Novell ZENworks Patch Management Downloadreport.ASP SQL Injection Vulnerability

Attackers can exploit this issue via a web client.

Solution / Fix

Novell ZENworks Patch Management Downloadreport.ASP SQL Injection Vulnerability

Solution:
The vendor released an update to address this issue. Please contact the vendor for information on obtaining and applying the update.

References

Novell ZENworks Patch Management Downloadreport.ASP SQL Injection Vulnerability

References:

Novell Homepage (Novell)