|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA11761] IBM Products Forms Authentication Session Hijacking
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Fri Jun 04 2004 - 03:09:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
IBM Products Forms Authentication Session Hijacking
SECUNIA ADVISORY ID:
SA11761
VERIFY ADVISORY:
http://secunia.com/advisories/11761/
CRITICAL:
Less critical
IMPACT:
Hijacking
WHERE:
From local network
SOFTWARE:
IBM Tivoli Access Manager for e-business 3.x
IBM Tivoli Access Manager for e-business 4.x
IBM Tivoli Access Manager for e-business 5.x
IBM Tivoli Configuration Manager 4.x
IBM Tivoli Configuration Manager for Automatic Teller Machines 2.x
Tivoli SecureWay Policy Director 3.x
DESCRIPTION:
A security issue has been discovered in multiple IBM products, which
under some circumstances potentially can be exploited by malicious
people to hijack an authenticated user's session.
The vulnerability is caused due to an error related to the usage of
cookies to maintain session connection information when logging in
using forms authentication.
Successful exploitation may grant access to restricted resources and
data, or control of an affected application.
The vendor reports the following products as affected:
* Tivoli SecureWay Policy Director version 3.8
* IBM Tivoli Access Manager for e-business version 3.9, 4.1, and 5.1
* IBM Tivoli Access Manager Identity Manager Solution version 5.1
* IBM Tivoli Configuration Manager version 4.2
* IBM Tivoli Configuration Manager for Automated Teller Machines
version 2.1.0
* IBM WebSphere Everyplace Server, Service Provider Offering for
Multi-platforms version 2.1.3, 2.14, and 2.15
SOLUTION:
See patch matrix in original advisory.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www-1.ibm.com/support/docview.wss?uid=swg21168762
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]