Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-disclosure] VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability
From: Robert Kim Wireless Internet Advisor (evdo.hsdpagmail.com)
Date: Fri Feb 03 2006 - 18:35:14 CST
How often do these advisorys come out?
> Product Description:
> > From IBM's Website:
> "IBM Tivoli Access Manager for e-business is an award winning,
> policy-based access control solution for e-business and enterprise
> applications that is in the leader quadrant of Gartner's Magic
> Quadrant. Tivoli Access Manager for e-business can help you manage
> growth and complexity, control escalating management costs and address
> the difficulties of implementing security policies across a wide range
> of Web and application resources."
> "Tivoli Access Manager Plug-in for Web Servers enforces a high degree
> of security in a secure domain by requiring each client to provide
> proof of identity. Comprehensive network security can be provided by
> having Tivoli Access Manager Plug-in for Web Servers control the
> authentication and authorization of clients."
> Vulnerability Overview:
> On December 1st, while conducting a penetration test of a TAM enabled web
> application, VSR identified a vulnerability in Tivoli Web Server Plug-in
> which is a component of Tivoli Access Manager (TAM). This flaw allows an
> authenticated attacker to retrieve files (which reside outside of the web
> root) from the web server on which the plug-in resides. It is
> possible to
> retrieve any file or list any directory which is readable by the web
> Vulnerability Details:
> IBM's TAM Plug-in contains a logout handler under the root web path named
> `pkmslogout'. This handler is designed to log out authenticated users.
> The handler's display template can be specified by the `filename' request
> parameter. The value of this parameter is intended to be the partial path
> to a file on the web server which contains the page template. This file
> path is vulnerable to directory traversal, and can be used to retrieve
> nearly arbitrary files from the web server hosting the TAM Plug-in.
> For instance, if a vulnerable plug-in existed on the system
> one could exploit the problem by hitting a URL such as:
> It appears this problem can only be triggered when the attacker is
> already authenticated through the Web Plug-in.
> Vendor Response:
> IBM was first notified on 2005-12-05. Initial response was received on
> 2005-12-06. A patch for this issue was released (For versions 5.1.0) on
> 2006-01-18 and was published as a Limited availability fix:
> Apply the relevant fix packs available from IBM.
> Common Vulnerabilities and Exposures (CVE) Information:
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues. These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
Robert Q Kim, Wireless Internet Advisor
2611 S. Pacific Coast Highway 101
Cardiff by the Sea, CA 92007
206 984 0880
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/