Sun Java System Identity Manager multiple security vulnerabilities

Crossite request forgery, unauthorized access...

PR08-09: Unauthenticated File Retrieval on Sun Java System Identity Manager "ext" parameter

PR08-09: Unauthenticated File Retrieval on Sun Java System Identity Manager "ext" parameter Date Found: 25th April 2008 Vendor Contacted: 28th April 2008 Date Public: 10th November 2008 Severity: High Credits: Richard Brain of ProCheckUp Ltd www.procheckup.com. ProCheckUp thanks Sun for working...

Sun Java System Identity Manager目录遍历及跨站请求伪造漏洞

BUGTRAQ ID: 32262 CVECAN ID: CVE-2008-5117,CVE-2008-5118,CVE-2008-5116,CVE-2008-5115,CVE-2008-5114 Sun Java System Identity Manager是一个完整的端到端的保护敏感数据和管理标识配置文件与许可的解决方案。 Identity Manager的/idm/includes/helpServer.jsp服务器端脚本没有正确地验证ext参数，未经认证的远程攻击者可以通过向服务器提交恶意请求执行目录遍历攻击，检索文件系统上任意已知位置上的文件。 Identity...

PR07-11: Cross-site Request Forgery (CSRF) on Sun Java System Identity Manager

PR07-11: Cross-site Request Forgery CSRF on Sun Java System Identity Manager Date Found: 11th June 2007 Vendor Contacted: 18th June 2007 Date Public: 10th November 2008 Severity: Medium/High Credits: Adrian Pastor and Jan Fry of ProCheckUp Ltd www.procheckup.com. ProCheckUp thanks Sun for working...

CVE-2008-5115

Cross-site request forgery CSRF vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to hijack the authentication of administrators for requests that update the password via idm/admin/changeself.jsp...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

Design/Logic Flaw

Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to inject frames from arbitrary web sites and conduct phishing attacks via unspecified vectors, related to "frame injection."...

Open redirect

Open redirect vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...

CVE-2008-5114

Multiple cross-site scripting XSS vulnerabilities in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

Directory traversal

Directory traversal vulnerability in idm/includes/helpServer.jsp in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to read arbitrary files in the filesystem of the IDM server via directory traversal sequences in the ext parameter...

CVE-2008-5117

Open redirect vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...

CVE-2008-5115

Cross-site request forgery CSRF vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to hijack the authentication of administrators for requests that update the password via idm/admin/changeself.jsp...

CVE-2008-5116

Directory traversal vulnerability in idm/includes/helpServer.jsp in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to read arbitrary files in the filesystem of the IDM server via directory traversal sequences in the ext parameter...

CVE-2008-5115

CVE-2008-5115 affects Sun Java System Identity Manager (versions 6.0 up to SP4, 7.0, 7.1). The vulnerability is a CSRF flaw in the update password functionality via /idm/admin/changeself.jsp, which could allow an unauthenticated attacker to hijack an administrator’s session and change the passwor...

CVE-2008-5114

Sun Java System Identity Manager is affected by CVE-2008-5114, with multiple XSS vulnerabilities disclosed in versions 6.0 (including SP1-SP4), 7.0, and 7.1. The described issue allows remote attackers to inject arbitrary script/HTML via unspecified vectors. Exploit details and exact affected com...

CVE-2008-5116

Sun Java System Identity Manager is affected by CVE-2008-5116 due to a failure to sanitize the ext parameter in idm/includes/helpServer.jsp. The issue allows unauthenticated remote attackers to perform directory traversal and read arbitrary files from the IDM server filesystem on affected version...

CVE-2008-5098

CVE-2008-5098 is an XSS vulnerability in Sun Java System Messaging Server versions 6.2 and 6.3. The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, and it is noted as a different vulnerability from CVE-2007-2904. The connected sources provide the affe...

Sun Java System Identity Manager Version Detection (deprecated)

Binary data 4755.prm...

Sun Java System Identity Manager 6.07.x - Multiple Vulnerabilities

Sun Java System Identity Manager 6.07.x - Multiple Vulnerabilities...

Sun Java System Identity Manager 6.0/7.x - Multiple Vulnerabilities

source: https://www.securityfocus.com/bid/32262/info Sun Java System Identity Manager is prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, multiple cross-site scripting issues, multiple HTML-injection issues, and a directory-traversal vulnerability...