| VID |
21946 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PatchLink Update Server (PLUS) is vulnerable to an authentication bypass vulnerability via the proxyreg.asp script. The PatchLink Update Server (PLUS) and ZENworks Patch Management is the product of the patch and vulnerability management solution for medium and large enterprise networks. PatchLink Update Server (PLUS) versions prior to 6.1 P1 or prior to 6.2 SR1 P1 and ZENworks Patch Management versions prior to 6.2 SR1 could allow a remote attacker to bypass authentication, caused by improper filtering of user-supplied input passed to the 'List', 'Proxy', and 'Delete' parameters of the '/dagent/proxyreg.asp' script. A remote attacker could exploit this vulnerability to bypass authentication and list, add, or delete PatchLink Distribution Point (PDP) proxy servers used by the PatchLink FastPatch software.
* References:
http://www.frsirt.com/english/advisories/2006/2596 http://www.frsirt.com/english/advisories/2006/2595
http://secunia.com/advisories/20878
http://secunia.com/advisories/20876
http://securitytracker.com/alerts/2006/Jun/1016405.html
http://patchlink.custhelp.com/cgi-bin/patchlink.cfg/php/enduser/std_adp.php?p_faqid=303
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm
* Platforms Affected:
PatchLink, PatchLink Update versions prior to 6.1 P1
PatchLink, PatchLink Update versions prior to 6.2 SR1 P1
Novell, ZENworks Patch Management versions prior to 6.2 SR1
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of PatchLink Update Server (6.1 P1 or 6.2 SR1 P1 or later) if using PatchLink Update Server, available from the PatchLink Web site at http://patchlink.custhelp.com/cgi-bin/patchlink.cfg/php/enduser/std_adp.php?p_faqid=303
-- OR --
Upgrade to the latest version of Novell ZENworks Patch Management (6.2 SR1 P1 or later) if using Novell ZENworks Patch Management, a available from the ZENworks Patch Management Download Web site at http://www.patchlink.com/downloads/support/helpdesk/3808/NOVELL/HotfixInstaller.msi |
| Related URL |
CVE-2006-3425 (CVE) |
| Related URL |
18723 (SecurityFocus) |
| Related URL |
(ISS) |
|
