From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 5 Feb 2006 12:45:58 +0200
Subject: [UNIX] IBM Tivoli Access Manager Directory Traversal
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060205111617.82057582D@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM Tivoli Access Manager Directory Traversal
------------------------------------------------------------------------
SUMMARY
" <http://www-306.ibm.com/software/tivoli/products/access-mgr-e-bus/>;
Tivoli Access Manager for e-business is a versatile solution for
authentication and authorization problems. Primarily focused on Web
applications, Access Manager implementations vary from simple Single
Sign-on (SSO) to more complex security infrastructure deployments."
IBM Tivoli Access Manager is vulnerable for directory traversal that allow
authenticated attackers to retrieve any file from the system.
DETAILS
Vulnerable Systems:
* IBM Tivoli Access Manager version 6.0.0
* IBM Tivoli Access Manager version 5.1.0.10
IBM's TAM Plug-in contains a logout handler under the root web path named
`pkmslogout'. This handler is designed to log out authenticated users.
The handler's display template can be specified by the `filename' request
parameter. The value of this parameter is intended to be the partial path
to a file on the web server which contains the page template. This file
path is vulnerable to directory traversal, and can be used to retrieve
nearly arbitrary files from the web server hosting the TAM Plug-in.
For instance, if a vulnerable plug-in existed on the system
tam.example.com, one could exploit the problem by hitting a URL such as:
http://tam.example.com/pkmslogout?filename=../../../../../../../etc/passwd
It appears this problem can only be triggered when the attacker is already
authenticated through the Web Plug-in.
Vendor Status:
A generally available fix pack for version 5.1.0 and 6.0 was released by
the vendor on 2006-02-03 and available as:
Fixpack 5.1.0-TIV-WPI-FP0017 is available at:
<http://www-1.ibm.com/support/docview.wss?uid=swg24011562>;
http://www-1.ibm.com/support/docview.wss?uid=swg24011562
Fixpack 6.0.0-TIV-WPI-FP0001 is available at:
<http://www-1.ibm.com/support/docview.wss?uid=swg24011561>;
http://www-1.ibm.com/support/docview.wss?uid=swg24011561
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0513>;
CVE-2006-0513
Disclosure Timeline:
2005-12-05 IBM was first notified
2005-12-06 Initial response
2006-01-18 A patch for this issue was released (For versions 5.1.0)
2006-02-03 A generally available fix pack for version 5.1.0 and 6.0 was
released
2006-02-03 Public Disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@vsecurity.com.>
VSR Advisories.
The original article can be found at:
<http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt>; http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
