Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Patrik Karlsson (patrik.karlssonixsecurity.com)
Date: Mon Jul 23 2001 - 06:00:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hash: SHA1

    iXsecurity Security Vulnerability Report
    No: iXsecurity.20010618.policy_director.a

    Vulnerability Summary
    - -------------------
    Problem: Web Seal Policy director does not handle URLs
                            in hex code correct. It is possible to
                            perform web traversals by appending %2e, to
                            access the underlying web server.

    Threat: It is possible to view all files on the
                            server and exploit some of the web server

    Affected Software: This exposure exists on Tivoli SecureWay
                            Policy Director versions 3.01, 3.6, 3.7
                            and 3.7.1.

    Platform: This exposure only occurs on the
                            Tivoli SecureWay Policy Director WebSEAL
                            proxy server, running on any of the
                            Web server operating systems, which consist
                            of: HP-UX,IBM AIX, Sun Solaris,
                            Microsoft Windows NT, or Windows 2000.

    Solution: Install the patch for Tivoli SecureWay
                            Policy Director.

    Vulnerability Description
    - -----------------------
    The IBM/Tivoli Web Seal Policy director is supposed to gather
    all directories on several web servers that users are allowed
    to access and present them as a logical web server. The policy
    director is supposed to seal users into pre-defined directories
    on the web server according to the company policy. If you
    make connections to the web server on port 80 the Web Seal is
    answering and tries to lock you into the pre-defined directory.
    By appending /%2e%2e/%2e%2e you are escaping the policy director
    and are able to perform directory traversals and viewing most
    files on the system as well as be able to exploit vulnerabilities
    in the web server. iXsecurity was able to exploit the good old RDS
    vulnerability by patching Rain Forest Puppys' msadc.pl script

    - ------
    Install the patch for Tivoli SecureWay Policy Director.
    This patch is available now and corrects the potential problem by
    enhancing the URL access control verification being performed.

    This patch may be downloaded as follows:

    For registered users, please visit

    For all other users, please access the FTP server:
    For version 3.01
    For version 3.6
    For version 3.7
    For version 3.7.1

    Additional Information
    - --------------------
    IBM and Tivoli was contacted 19 June, 2001

    This vulnerability was found during a PenTest by
    Patrik Karlsson and Rikard Carlsson
    - ----------------------------
    iXsecurity is a Swedish and U.K. based tiger team that has worked
    with computer-related security since 1982 and done network
    penetration tests and technical audits since 1995. iXsecurity is
    hiring in Sweden and the United Kingdom. Call Christer Stafferod
    on +46(0)8 6621070 ( mailto:christerixsecurity.com ) for more

    Version: PGP 7.0.1

    -----END PGP SIGNATURE-----