|
|
|
|
| |
Credit:
The information has been provided by VSR Advisories.
The original article can be found at: http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt
|
| |
Vulnerable Systems:
* IBM Tivoli Access Manager version 6.0.0
* IBM Tivoli Access Manager version 5.1.0.10
IBM's TAM Plug-in contains a logout handler under the root web path named `pkmslogout'. This handler is designed to log out authenticated users. The handler's display template can be specified by the `filename' request parameter. The value of this parameter is intended to be the partial path to a file on the web server which contains the page template. This file path is vulnerable to directory traversal, and can be used to retrieve nearly arbitrary files from the web server hosting the TAM Plug-in.
For instance, if a vulnerable plug-in existed on the system tam.example.com, one could exploit the problem by hitting a URL such as:
http://tam.example.com/pkmslogout?filename=../../../../../../../etc/passwd
It appears this problem can only be triggered when the attacker is already authenticated through the Web Plug-in.
Vendor Status:
A generally available fix pack for version 5.1.0 and 6.0 was released by the vendor on 2006-02-03 and available as:
Fixpack 5.1.0-TIV-WPI-FP0017 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011562
Fixpack 6.0.0-TIV-WPI-FP0001 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011561
CVE Information:
CVE-2006-0513
Disclosure Timeline:
2005-12-05 IBM was first notified
2005-12-06 Initial response
2006-01-18 A patch for this issue was released (For versions 5.1.0)
2006-02-03 A generally available fix pack for version 5.1.0 and 6.0 was released
2006-02-03 Public Disclosure
|
|
|
|
|
