Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11296
HistoryFeb 04, 2006 - 12:00 a.m.

[Full-disclosure] VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability

2006-02-0400:00:00
vulners.com
27
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

           Virtual Security Research, LLC.
              http://www.vsecurity.com/
                 Security Advisory

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Remote Directory Traversal and File Retrieval
Release Date: 2006-02-03
Application: IBM Tivoli Access Manager
Version: 5.1.0.10, 6.0.0 (other versions untested)
Severity: High
Author: Timothy D. Morgan <[email protected]>
Vendor Status: Vendor Notified, Fix Available
CVE Candidate: CVE-2006-0513
Reference:
http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Product Description:

> From IBM's Website[1][2]:

"IBM Tivoli Access Manager for e-business is an award winning,
policy-based access control solution for e-business and enterprise
applications that is in the leader quadrant of Gartner's Magic
Quadrant. Tivoli Access Manager for e-business can help you manage
growth and complexity, control escalating management costs and address
the difficulties of implementing security policies across a wide range
of Web and application resources."

"Tivoli Access Manager Plug-in for Web Servers enforces a high degree
of security in a secure domain by requiring each client to provide
proof of identity. Comprehensive network security can be provided by
having Tivoli Access Manager Plug-in for Web Servers control the
authentication and authorization of clients."

Vulnerability Overview:

On December 1st, while conducting a penetration test of a TAM enabled web
application, VSR identified a vulnerability in Tivoli Web Server Plug-in
which is a component of Tivoli Access Manager (TAM). This flaw allows an
authenticated attacker to retrieve files (which reside outside of the web
root) from the web server on which the plug-in resides. It is
possible to
retrieve any file or list any directory which is readable by the web
server
software.

Vulnerability Details:

IBM's TAM Plug-in contains a logout handler under the root web path named
`pkmslogout'. This handler is designed to log out authenticated users.
The handler's display template can be specified by the `filename' request
parameter. The value of this parameter is intended to be the partial path
to a file on the web server which contains the page template. This file
path is vulnerable to directory traversal, and can be used to retrieve
nearly arbitrary files from the web server hosting the TAM Plug-in.

For instance, if a vulnerable plug-in existed on the system
tam.example.com,
one could exploit the problem by hitting a URL such as:
http://tam.example.com/pkmslogout?filename=../../../../../../../etc/passwd

It appears this problem can only be triggered when the attacker is
already authenticated through the Web Plug-in.

Vendor Response:
IBM was first notified on 2005-12-05. Initial response was received on
2005-12-06. A patch for this issue was released (For versions 5.1.0) on
2006-01-18 and was published as a Limited availability fix:
5.1.0-TIV-WPI-LA0016.

A generally available fix pack for version 5.1.0 and 6.0 was released by
the vendor on 2006-02-03 and available as:

Fixpack 5.1.0-TIV-WPI-FP0017 is available at:
http://www-1.ibm.com/support/docview.wss?uid=swg24011562

Fixpack 6.0.0-TIV-WPI-FP0001 is available at:
http://www-1.ibm.com/support/docview.wss?uid=swg24011561

Recommendation:

Apply the relevant fix packs available from IBM.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CVE-2006-0513

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

  1. IBM Tivoli Access Manager for e-business - Product overview
    http://www-306.ibm.com/software/tivoli/products/access-mgr-e-bus/

  2. IBM Tivoli Access Manager Plug-in for Web Servers Authentication

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame2.doc_5.1/am51_webservers_guide26.htm

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Greetings to:
Hotsauce, Beans, and Cornbread

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Copyright 2006 Virtual Security Research, LLC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD4+nNTY6Rj3GeBOoRAtkIAKCPw5hcpKKYX6CdXORp6CFN4+PQXwCeONJo
W/sNIac0QLaVJNzK/IlpmZU=
=jbtc
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

prion 1
cve 1
checkpoint_advisories 1
prion
prion
Directory traversal
2006-02-06 23:02:00
cve
cve
CVE-2006-0513
2006-02-06 23:02:00
checkpoint_advisories
checkpoint_advisories
Update Protection against Directory Traversal Vulnerability in IBM Tivoli Access Manager
2006-03-26 00:00:00
JSON
Related for SECURITYVULNS:DOC:11296
prion1cve1checkpoint_advisories1