Re: VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability

[Robert Kim Wireless Internet Advisor <evdo.hsdpa () gmail com>]

How often do these advisorys come out?

> Product Description:
>
> > From IBM's Website[1][2]:
>
>  "IBM Tivoli Access Manager for e-business is an award winning,
>  policy-based access control solution for e-business and enterprise
>  applications that is in the leader quadrant of Gartner's Magic
>  Quadrant. Tivoli Access Manager for e-business can help you manage
>  growth and complexity, control escalating management costs and address
>  the difficulties of implementing security policies across a wide range
>  of Web and application resources."
>
>  "Tivoli Access Manager Plug-in for Web Servers enforces a high degree
>  of security in a secure domain by requiring each client to provide
>  proof of identity. Comprehensive network security can be provided by
>  having Tivoli Access Manager Plug-in for Web Servers control the
>  authentication and authorization of clients."
>
>
>
> Vulnerability Overview:
>
> On December 1st, while conducting a penetration test of a TAM enabled web
> application, VSR identified a vulnerability in Tivoli Web Server Plug-in
> which is a component of Tivoli Access Manager (TAM).  This flaw allows an
> authenticated attacker to retrieve files (which reside outside of the web
> root) from the web server on which the plug-in resides.  It is
> possible to
> retrieve any file or list any directory which is readable by the web
> server
> software.
>
>
> Vulnerability Details:
>
> IBM's TAM Plug-in contains a logout handler under the root web path named
> `pkmslogout'.  This handler is designed to log out authenticated users.
> The handler's display template can be specified by the `filename' request
> parameter.  The value of this parameter is intended to be the partial path
> to a file on the web server which contains the page template.  This file
> path is vulnerable to directory traversal, and can be used to retrieve
> nearly arbitrary files from the web server hosting the TAM Plug-in.
>
> For instance, if a vulnerable plug-in existed on the system
> tam.example.com,
> one could exploit the problem by hitting a URL such as:
>  http://tam.example.com/pkmslogout?filename=../../../../../../../etc/passwd
>
> It appears this problem can only be triggered when the attacker is
> already authenticated through the Web Plug-in.
>
>
>
> Vendor Response:
> IBM was first notified on 2005-12-05. Initial response was received on
> 2005-12-06.  A patch for this issue was released (For versions 5.1.0) on
> 2006-01-18 and was published as a Limited availability fix:
>  5.1.0-TIV-WPI-LA0016.
>
>
> Recommendation:
>
> Apply the relevant fix packs available from IBM.
>
>
> -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
> Common Vulnerabilities and Exposures (CVE) Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues.  These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
>
>  CVE-2006-0513
--
Robert Q Kim, Wireless Internet Advisor
http://hsdpa-coverage.com
http://www.antennacoverage.com/cell-repeater.html

2611 S. Pacific Coast Highway 101
Suite 102
Cardiff by the Sea, CA 92007
206 984 0880
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/