lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Nov 2008 12:01:03 +0000
From: ProCheckUp Research <research@...checkup.com>
To: <bugtraq@...urityfocus.com>
Subject: PR08-09: Unauthenticated File Retrieval on Sun Java System Identity
 Manager "ext" parameter

PR08-09: Unauthenticated File Retrieval on Sun Java System Identity
Manager "ext" parameter

Date Found: 25th April 2008

Vendor Contacted: 28th April 2008

Date Public: 10th November 2008

Severity: High

Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com).

ProCheckUp thanks Sun for working with us.

Description:

Sun Java System Identity Manager is vulnerable to *unauthenticated* file
retrieval a.k.a. directory traversal within the "ext" parameter
processed by the "/idm/includes/helpServer.jsp" server-side script.


Consequences:

Any files can be retrieved from the target server provided that the
attacker knows its location on the filesystem. No authentication is
required to exploit this vulnerability.


Proof of concept (PoC):

_Due to the severity of this issue, ProCheckUp will keep the PoC private
until all Sun Identity Manager customers are given enough time to update._

Successfully tested on:

Server environment:

Windows Server 2003, Standard
Apache Tomcat/5.0.28
Sun Java System Identity Manager 6.0 (20061212 SP 2)

Note: the version of Sun Java SIM can be obtained from the HTML source
code of the user login page: "/idm/user/login.jsp"

i.e.:

[snip]

<a onmouseover="return overlib('Open <b>Help</b><br>Version &nbsp;Sun
Java System Identity Manager 6.0 (20061212 SP 2)',
	FGCOLOR, '#F5F5DC',
	BGCOLOR, '#000000',
	DELAY, '750')"
[snip]


References:

http://www.sun.com/software/products/identity_mgr/index.xml
http://www.procheckup.com/Vulnerabilities


Fix:

Apply the patches released by Sun. This vulnerability has been filed as
Sun Bugzilla bug 18653.

For more information please see
http://sunsolve.sun.com/search/document.do?assetkey=1-26-243386-1

Legal:

Copyright 2008 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL, and provided such
reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party. ProCheckUp
is not responsible for the content of external Internet sites.

Powered by blists - more mailing lists