Novell ZENworks Mobile Management MDM.php Local File Inclusion

High Nessus Plugin ID 65551

Synopsis

The remote host is affected by a local file inclusion vulnerability.

Description

Nessus was able to exploit a local file inclusion vulnerability in the
'language' parameter of Novell ZENworks Mobile Management's 'MDM.php'
script by sending a specially crafted HTTP GET request. By providing a
directory traversal string, it is possible to access any file on the
system accessible by the web server.

Note that hosts affected by this vulnerability are likely affected by a
similar vulnerability in 'DUSAP.php'.

Solution

Upgrade to Novell ZENworks Mobile Management 2.7.1 or later, when it
becomes available.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-13-087/

http://www.nessus.org/u?b1357ad4

Plugin Details

Severity: High

ID: 65551

File Name: novell_zenworks_mobile_management_mdm_lfi.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 2013/03/14

Modified: 2018/11/15

Dependencies: 65550

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:novell:zenworks_mobile_management

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 2013/03/07

Exploitable With

Core Impact

Metasploit (Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability)

Reference Information

CVE: CVE-2013-1081

BID: 58402