IBM WebSphere Application Server "PerfServlet"信息泄漏漏洞

BUGTRAQ ID: CVE ID：CVE-2008-5413 CNCVE ID：CNCVE-20085413 IBM WebSphere Application Server是一款商业性质的WEB应用服务程序。 IBM WebSphere Application Server "PerfServlet"参数处理存在问题，远程攻击者可以利用漏洞获得敏感信息。 目前没有详细解决方案提供。 IBM WebSphere Application Server 6.0.x 可参考如下安全公告获得补丁信息：...

IBM WebSphere Application Server 6.1 < Fix Pack 21 Multiple Flaws

IBM WebSphere Application Server 6.1 before Fix Pack 21 appears to be running on the remote host. As such, it is reportedly affected by multiple flaws : - Provided Performance Monitoring Infrastructure PMI is enabled, it may be possible for a local attacker to obtain sensitive information through...

Open redirect

Open redirect vulnerability in the ibmsecuritylogout servlet in IBM WebSphere Application Server WAS 5.1.1.19 and earlier 5.x versions, 6.0.x before 6.0.2.33, and 6.1.x before 6.1.0.23 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the...

Code injection

The 1 modibmssl and 2 modcgid modules in IBM HTTP Server 6.0.x before 6.0.2.31 and 6.1.x before 6.1.0.19, as used in WebSphere Application Server WAS, set incorrect permissions for AFUNIX sockets, which has unknown impact and local attack vectors...

Code injection

Unspecified vulnerability in IBM WebSphere Application Server WAS 5.1.x before 5.1.1.19, 6.0.x before 6.0.2.29, and 6.1.x before 6.1.0.19, when Web Server plug-in content buffering is enabled, allows attackers to cause a denial of service daemon crash via unknown vectors, related to a mishandling...

Authorization

IBM WebSphere Application Server WAS 7 before 7.0.0.1 on Windows allows remote attackers to bypass "Authorization checking" and obtain sensitive information from JSP pages via a crafted request. NOTE: this is probably a duplicate of CVE-2008-5412...

CVE-2009-0432

The installation process for the File Transfer servlet in the System Management/Repository component in IBM WebSphere Application Server WAS 6.1.x before 6.1.0.19 does not enable the secure version, which allows remote attackers to obtain sensitive information via unspecified vectors...

CVE-2009-0433

Unspecified vulnerability in IBM WebSphere Application Server WAS 5.1.x before 5.1.1.19, 6.0.x before 6.0.2.29, and 6.1.x before 6.1.0.19, when Web Server plug-in content buffering is enabled, allows attackers to cause a denial of service daemon crash via unknown vectors, related to a mishandling...

Information disclosure

The Installation Factory installation process for IBM WebSphere Application Server WAS 6.0.2 on Windows, when WAS is registered as a Windows service, allows local users to obtain sensitive information by reading the logs/instconfigifwas6.log log file...

Code injection

Unspecified vulnerability in the IBM Asynchronous I/O aka AIO or libibmaio library in the Java Message Service JMS component in IBM WebSphere Application Server WAS 6.1.x before 6.1.0.17 on AIX 5.3 allows attackers to cause a denial of service daemon crash via vectors related to the aiogetioev2 a...

CVE-2008-4284

Open redirect vulnerability in the ibmsecuritylogout servlet in IBM WebSphere Application Server WAS 5.1.1.19 and earlier 5.x versions, 6.0.x before 6.0.2.33, and 6.1.x before 6.1.0.23 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the...

CVE-2009-0435

Unspecified vulnerability in the IBM Asynchronous I/O aka AIO or libibmaio library in the Java Message Service JMS component in IBM WebSphere Application Server WAS 6.1.x before 6.1.0.17 on AIX 5.3 allows attackers to cause a denial of service daemon crash via vectors related to the aiogetioev2 a...

CVE-2009-0433

Unspecified vulnerability in IBM WebSphere Application Server WAS 5.1.x before 5.1.1.19, 6.0.x before 6.0.2.29, and 6.1.x before 6.1.0.19, when Web Server plug-in content buffering is enabled, allows attackers to cause a denial of service daemon crash via unknown vectors, related to a mishandling...

CVE-2009-0437

CVE-2009-0437 affects the IBM WebSphere Application Server (WAS) 6.0.2 on Windows when WAS is registered as a Windows service. The vulnerability enables local users to obtain sensitive information by reading the logs/instconfigifwas6.log. The provided documents do not include exploitation details...

CVE-2009-0432

The CVE-2009-0432 entry concerns IBM WebSphere Application Server (WAS) 6.1.x prior to 6.1.0.19. The File Transfer servlet in the System Management/Repository component is not configured to enable the secure version, allowing remote attackers to obtain sensitive information via unspecified vector...

CVE-2009-0436

CVE-2009-0436 affects IBM HTTP Server integrated with WebSphere (was 6.0.x prior to 6.0.2.31; 6.1.x prior to 6.1.0.19). The mod_ibm_ssl and mod_cgid modules set incorrect permissions on AF_UNIX sockets. Impact is described as unknown and local access vectors are indicated; no public exploit detai...

CVE-2009-0433

CVE-2009-0433 affects IBM WebSphere Application Server (WAS) 5.1.x before 5.1.1.19, 6.0.x before 6.0.2.29, and 6.1.x before 6.1.0.19. The issue arises when the Web Server plug-in content buffering is enabled, due to mishandling of client read failures. This can cause a denial of service (daemon c...

CVE-2009-0437

The Installation Factory installation process for IBM WebSphere Application Server WAS 6.0.2 on Windows, when WAS is registered as a Windows service, allows local users to obtain sensitive information by reading the logs/instconfigifwas6.log log file...

CVE-2009-0435

IBM WebSphere Application Server 6.1.x on AIX 5.3 is affected by a denial-of-service vulnerability in the IBM JMS AIO/libibmaio library (aio_getioev2 and getEvent). The issue exists in WAS 6.1.x before 6.1.0.17 and can cause a daemon crash. Remediation: upgrade to WAS 6.1.0.17 or later Fix Pack t...

CVE-2008-4284

Open redirect vulnerability (CVE-2008-4284) in IBM WebSphere Application Server via the ibm_security_logout servlet. Affected versions: WAS 5.1.1.19 and earlier 5.x, 6.0.x before 6.0.2.33, and 6.1.x before 6.1.0.23. Impact: remote attackers can redirect users to arbitrary sites and conduct phishi...