Multiple security vulnerabilities in the Novell eDirectory dhost service/NCP implementation

Release date:
Updated on:

Affected Systems:
Novell eDirectory 8.8.7.2
Novell eDirectory 8.8.6.7
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57038
CVE (CAN) ID: CVE-2012-0428, CVE-2012-0429, CVE-2012-0430, CVE-2012-0432
 
Novell eDirectory is a cross-platform Directory Server.
 
Novell eDirectory versions earlier than 8.8.8.7.2 and 8.8.6.7 have cross-site scripting, DOS, information leakage, and stack buffer overflow vulnerabilities, attackers can execute arbitrary script code, steal cookies, leak sensitive information, execute arbitrary code, and cause DoS in the affected browsers.
 
1) when processing certain characters, there is an error in the dhost service and DOS can be caused by specially crafted HTTP requests. This vulnerability only affects Windwos.
 
2) there is an error in NCP implementation, which may cause stack buffer overflow.

 
<* Source: Positive Technologies
Vendor

Link: http://www.novell.com/support/kb/doc.php? Id = 3426981
Http://secunia.com/advisories/51667/
Http://www.novell.com/support/kb/doc.php? Id = 7011533
Http://www.novell.com/support/kb/doc.php? Id = 7011538
Http://www.novell.com/support/kb/doc.php? Id = 7011539
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Novell
------
The vendor has released a patch to fix this security problem. Please download 8.8.7.2/8.8.6.7 from the vendor's homepage:
 
Http://download.novell.com/