VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability

2006.02.05
Credit: VSR Advisories
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2006-0513
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=- Advisory Name: Remote Directory Traversal and File Retrieval Release Date: 2006-02-03 Application: IBM Tivoli Access Manager Version: 5.1.0.10, 6.0.0 (other versions untested) Severity: High Author: Timothy D. Morgan <tmorgan (at) vsecurity (dot) com [email concealed]> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0513 Reference: http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.tx t - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=- Product Description: > From IBM's Website[1][2]: "IBM Tivoli Access Manager for e-business is an award winning, policy-based access control solution for e-business and enterprise applications that is in the leader quadrant of Gartner's Magic Quadrant. Tivoli Access Manager for e-business can help you manage growth and complexity, control escalating management costs and address the difficulties of implementing security policies across a wide range of Web and application resources." "Tivoli Access Manager Plug-in for Web Servers enforces a high degree of security in a secure domain by requiring each client to provide proof of identity. Comprehensive network security can be provided by having Tivoli Access Manager Plug-in for Web Servers control the authentication and authorization of clients." Vulnerability Overview: On December 1st, while conducting a penetration test of a TAM enabled web application, VSR identified a vulnerability in Tivoli Web Server Plug-in which is a component of Tivoli Access Manager (TAM). This flaw allows an authenticated attacker to retrieve files (which reside outside of the web root) from the web server on which the plug-in resides. It is possible to retrieve any file or list any directory which is readable by the web server software. Vulnerability Details: IBM's TAM Plug-in contains a logout handler under the root web path named `pkmslogout'. This handler is designed to log out authenticated users. The handler's display template can be specified by the `filename' request parameter. The value of this parameter is intended to be the partial path to a file on the web server which contains the page template. This file path is vulnerable to directory traversal, and can be used to retrieve nearly arbitrary files from the web server hosting the TAM Plug-in. For instance, if a vulnerable plug-in existed on the system tam.example.com, one could exploit the problem by hitting a URL such as: http://tam.example.com/pkmslogout?filename=../../../../../../../etc/pass wd It appears this problem can only be triggered when the attacker is already authenticated through the Web Plug-in. Vendor Response: IBM was first notified on 2005-12-05. Initial response was received on 2005-12-06. A patch for this issue was released (For versions 5.1.0) on 2006-01-18 and was published as a Limited availability fix: 5.1.0-TIV-WPI-LA0016. A generally available fix pack for version 5.1.0 and 6.0 was released by the vendor on 2006-02-03 and available as: Fixpack 5.1.0-TIV-WPI-FP0017 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011562 Fixpack 6.0.0-TIV-WPI-FP0001 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011561 Recommendation: Apply the relevant fix packs available from IBM. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0513 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=- References: 1. IBM Tivoli Access Manager for e-business - Product overview http://www-306.ibm.com/software/tivoli/products/access-mgr-e-bus/ 2. IBM Tivoli Access Manager Plug-in for Web Servers Authentication http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.ita me2.doc_5.1/am51_webservers_guide26.htm - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=- Greetings to: Hotsauce, Beans, and Cornbread - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=- Copyright 2006 Virtual Security Research, LLC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD4+rATY6Rj3GeBOoRAi+eAJ43hbN4SCozKwEVi7q9UVWjtSTe+gCglrwN BjxuwG+YiPsBpIQfA0CYM6k= =GGKM -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top