Novell Modular Authentication Service May Let Remote Users Change Passwords
|
|
SecurityTracker Alert ID: 1014595
|
|
SecurityTracker URL: http://securitytracker.com/id?1014595
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 29 2005
|
Impact: Modification of authentication information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2.3.8
|
Description: A vulnerability was reported in Novell Modular Authentication Service (NMAS). A remote user may be able to change a target user's password.
In certain situations, a remote user can exploit the "Forgotten Password" page to change a target user's password without answering the challenge questions.
|
Impact: A remote user may be able to change a target user's password.
|
Solution: The vendor has issued a fixed version (2.3.8). The vendor's advisory is available at:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971485.htm
|
Vendor URL: support.novell.com/cgi-bin/search/searchtid.cgi?/2971485.htm (Links to External Site)
|
Cause: Authentication error, State error
|
Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 29 Jul 2005 01:18:12 -0400
Subject: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971485.htm
|
> eDir Authen Server Modules 2.3.8 (NMAS) - TID2971485 (last modified 28JUL2005)
> Under certain circumstances, Forgotten Password portal allows user to change
> password without answering challenge questions.
|
|
