Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20899
HistoryNov 21, 2008 - 12:00 a.m.

PR08-09: Unauthenticated File Retrieval on Sun Java System Identity Manager "ext" parameter

2008-11-2100:00:00
vulners.com
26
JSON

PR08-09: Unauthenticated File Retrieval on Sun Java System Identity
Manager "ext" parameter

Date Found: 25th April 2008

Vendor Contacted: 28th April 2008

Date Public: 10th November 2008

Severity: High

Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com).

ProCheckUp thanks Sun for working with us.

Description:

Sun Java System Identity Manager is vulnerable to unauthenticated file
retrieval a.k.a. directory traversal within the "ext" parameter
processed by the "/idm/includes/helpServer.jsp" server-side script.

Consequences:

Any files can be retrieved from the target server provided that the
attacker knows its location on the filesystem. No authentication is
required to exploit this vulnerability.

Proof of concept (PoC):

Due to the severity of this issue, ProCheckUp will keep the PoC private
until all Sun Identity Manager customers are given enough time to update.

Successfully tested on:

Server environment:

Windows Server 2003, Standard
Apache Tomcat/5.0.28
Sun Java System Identity Manager 6.0 (20061212 SP 2)

Note: the version of Sun Java SIM can be obtained from the HTML source
code of the user login page: "/idm/user/login.jsp"

i.e.:

[snip]

<a onmouseover="return overlib('Open <b>Help</b><br>Version &nbsp;Sun
Java System Identity Manager 6.0 (20061212 SP 2)',
FGCOLOR, '#F5F5DC',
BGCOLOR, '#000000',
DELAY, '750')"
[snip]

References:

http://www.sun.com/software/products/identity_mgr/index.xml
http://www.procheckup.com/Vulnerabilities

Fix:

Apply the patches released by Sun. This vulnerability has been filed as
Sun Bugzilla bug 18653.

For more information please see
http://sunsolve.sun.com/search/document.do?assetkey=1-26-243386-1

Legal:

Copyright 2008 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL, and provided such
reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party. ProCheckUp
is not responsible for the content of external Internet sites.

JSON