HTTP: Novell NetIQ Privileged User Manager Eval Policy Bypass
A policy-bypass vulnerability has been reported in Novell NetIQ Privileged User Manager, which could allow remote attackers to compromise a system. The vulnerability is due to an access control weakness when handling calls to the eval method within POST requests. A remote, unauthenticated attacker can exploit this vulnerability by sending a malicious eval request to the vulnerable server. Successful exploitation could result in command execution under the context of the SYSTEM.
Extended Description
Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code via a crafted application/x-amf request.
Affected Products
Microfocus privileged_user_manager
Short Name
HTTP:NOVELL-NETIQ-EVAL-POLBYPAS
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Bypass CVE-2012-5932 Eval Manager NetIQ Novell Policy Privileged User bid:56539
Release Date
01/02/2013
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3407
False Positive
Unknown
Vendors
Microfocus
CVSS Score
10.0