CVE-2010-0284

Name of the Vulnerable Software and Affected Versions Novell Access Manager versions prior to 3.1.2-281

Description The issue allows remote attackers to create arbitrary files with any contents and consequently execute arbitrary code via a .. (dot dot) in a parameter in the getEntry method. This method is part of the PortalModuleInstallManager component in a servlet in nps.jar in the Administration Console.

Recommendations For Novell Access Manager versions prior to 3.1.2-281, update to version 3.1.2-281 or later to resolve the issue. As a temporary workaround, consider restricting access to the getEntry method in the PortalModuleInstallManager component to minimize the risk of exploitation. Avoid using the parameter that allows the .. (dot dot) traversal in the affected servlet until the issue is resolved.