| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1ec620e90602031635h191ceea3o99b687ad6f49f83a@mail.gmail.com> Date: Sat Feb 4 00:35:23 2006 From: evdo.hsdpa at gmail.com (Robert Kim Wireless Internet Advisor) Subject: VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability How often do these advisorys come out? > > Product Description: > > > From IBM's Website[1][2]: > > "IBM Tivoli Access Manager for e-business is an award winning, > policy-based access control solution for e-business and enterprise > applications that is in the leader quadrant of Gartner's Magic > Quadrant. Tivoli Access Manager for e-business can help you manage > growth and complexity, control escalating management costs and address > the difficulties of implementing security policies across a wide range > of Web and application resources." > > "Tivoli Access Manager Plug-in for Web Servers enforces a high degree > of security in a secure domain by requiring each client to provide > proof of identity. Comprehensive network security can be provided by > having Tivoli Access Manager Plug-in for Web Servers control the > authentication and authorization of clients." > > > > Vulnerability Overview: > > On December 1st, while conducting a penetration test of a TAM enabled web > application, VSR identified a vulnerability in Tivoli Web Server Plug-in > which is a component of Tivoli Access Manager (TAM). This flaw allows an > authenticated attacker to retrieve files (which reside outside of the web > root) from the web server on which the plug-in resides. It is > possible to > retrieve any file or list any directory which is readable by the web > server > software. > > > Vulnerability Details: > > IBM's TAM Plug-in contains a logout handler under the root web path named > `pkmslogout'. This handler is designed to log out authenticated users. > The handler's display template can be specified by the `filename' request > parameter. The value of this parameter is intended to be the partial path > to a file on the web server which contains the page template. This file > path is vulnerable to directory traversal, and can be used to retrieve > nearly arbitrary files from the web server hosting the TAM Plug-in. > > For instance, if a vulnerable plug-in existed on the system > tam.example.com, > one could exploit the problem by hitting a URL such as: > http://tam.example.com/pkmslogout?filename=../../../../../../../etc/passwd > > It appears this problem can only be triggered when the attacker is > already authenticated through the Web Plug-in. > > > > Vendor Response: > IBM was first notified on 2005-12-05. Initial response was received on > 2005-12-06. A patch for this issue was released (For versions 5.1.0) on > 2006-01-18 and was published as a Limited availability fix: > 5.1.0-TIV-WPI-LA0016. > > > Recommendation: > > Apply the relevant fix packs available from IBM. > > > - > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > Common Vulnerabilities and Exposures (CVE) Information: > > The Common Vulnerabilities and Exposures (CVE) project has assigned > the following names to these issues. These are candidates for > inclusion in the CVE list (http://cve.mitre.org), which standardizes > names for security problems. > > CVE-2006-0513 -- Robert Q Kim, Wireless Internet Advisor http://hsdpa-coverage.com http://www.antennacoverage.com/cell-repeater.html 2611 S. Pacific Coast Highway 101 Suite 102 Cardiff by the Sea, CA 92007 206 984 0880
Powered by blists - more mailing lists