----------------------------------------------------------------------
SNS Advisory No.45
Manpower Japan Potential Personal Information Leak Vulnerability

Problem first discovered: Fri, 22 Jun 2001
Published: Tue, 30 Oct 2001
----------------------------------------------------------------------

Type of Document:
-----------------
  Discovery of a security issue and report of a solution

Overview:
---------
  A vulnerability was found in Manpower Japan homepage that could lead
  to disclosure of registered personal information.

Problem Description:
--------------------
  Although it is required to authenticate username and password in order
  to make references and/or update personal information, some parts of
  the session management were not processed properly. It was possible
  to have access to other profiles by simply modifying the following
  parameter included in the link that allows for update of personal
  information:

  CandID=100003034

  to

  CandID=100003035

Solution:
---------
  This problem was reported immediately after discovery to those in
  charge so that appropriate measures could be taken. Thus, the
  affected session management has already been fixed (October 29, 2001).

Discovered by:
--------------
  Nobuo Miwa (LAC) n-miwalac.co.jp

Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information.

References
----------
  Archive of this advisory(in preparation now):
  http://www.lac.co.jp/security/english/snsadv_e/45_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvlac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]