The Unidesk Management Console versions 1.3 and below suffer from a direct access vulnerability that allows an attacker direct access to administrative resources.
0d22cc882b3d6c110e94623b1274d806e3e68239274da8ea4c92fd017f31ea87------------------------------------------------------------------
1. Summary:
Unidesk management appliance is prone to a forceful browsing vulnerability
that allows an attacker access to administrator resources.
------------------------------------------------------------------
2. Description:
The "ReportingService" of the web services does not check for session
credentials to access reports about the Virtual Desktop Infrastructure
environment.
These reports provides information such as:
* Applications installed
* CachePoint appliance information
* Desktop names
* Domain usernames
* Operating systems installed
An attacker may gain access to the reports by directly pointing to the
following URL:
/Uni.Web/Reporting/Default.aspx
------------------------------------------------------------------
3. Impact:
This issue can be exploited to access sensitive information that may lead to
further attacks.
------------------------------------------------------------------
4. Affected Products:
Unidesk Management Console version 1.3 and prior.
------------------------------------------------------------------
5. Solution: Upgrade to version 1.4
------------------------------------------------------------------
6. Time Table:
3/17/2011 Reported Vulnerability to the Vendor
3/25/2011 Vendor Acknowledge Vulnerability, fix will be addressed in the 1.4
release
------------------------------------------------------------------
7. Credits:
Discovered by Nathan Power
www.securitypentest.com
------------------------------------------------------------------
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed