[21769] in bugtraq
iXsecurity.20010618.policy_director.a
daemon@ATHENA.MIT.EDU (Patrik Karlsson)
Mon Jul 23 11:30:01 2001
Message-Id: <200107231100.f6NB00R21320@foofighter.smufsa.nu>
From: patrik.karlsson@ixsecurity.com (Patrik Karlsson)
Date: Mon, 23 Jul 2001 10:00:00 -0100 (GMT+1)
To: bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iXsecurity Security Vulnerability Report
No: iXsecurity.20010618.policy_director.a
=========================================
Vulnerability Summary
- -------------------
Problem: Web Seal Policy director does not handle URLs
in hex code correct. It is possible to
perform web traversals by appending %2e, to
access the underlying web server.
Threat: It is possible to view all files on the
server and exploit some of the web server
vulnerabilities.
Affected Software: This exposure exists on Tivoli SecureWay
Policy Director versions 3.01, 3.6, 3.7
and 3.7.1.
Platform: This exposure only occurs on the
Tivoli SecureWay Policy Director WebSEAL
proxy server, running on any of the
Web server operating systems, which consist
of: HP-UX,IBM AIX, Sun Solaris,
Microsoft Windows NT, or Windows 2000.
Solution: Install the patch for Tivoli SecureWay
Policy Director.
Vulnerability Description
- -----------------------
The IBM/Tivoli Web Seal Policy director is supposed to gather
all directories on several web servers that users are allowed
to access and present them as a logical web server. The policy
director is supposed to seal users into pre-defined directories
on the web server according to the company policy. If you
make connections to the web server on port 80 the Web Seal is
answering and tries to lock you into the pre-defined directory.
By appending /%2e%2e/%2e%2e you are escaping the policy director
and are able to perform directory traversals and viewing most
files on the system as well as be able to exploit vulnerabilities
in the web server. iXsecurity was able to exploit the good old RDS
vulnerability by patching Rain Forest Puppys' msadc.pl script
(www.wiretrip.net/rfp).
Solution
- ------
Install the patch for Tivoli SecureWay Policy Director.
This patch is available now and corrects the potential problem by
enhancing the URL access control verification being performed.
This patch may be downloaded as follows:
For registered users, please visit
http://www.tivoli.com/support/downloads/
For all other users, please access the FTP server:
For version 3.01
ftp://ftp.tivoli.com/support/patches/patches_3.0.1/3.0.1-POL-0001
For version 3.6
ftp://ftp.tivoli.com/support/patches/patches_3.6/3.6-POL-0011
For version 3.7
ftp://ftp.tivoli.com/support/patches/patches_3.7.1/3.7.1-POL-0003
For version 3.7.1
ftp://ftp.tivoli.com/support/patches/patches_3.7.1/3.7.1-POL-0003
Additional Information
- --------------------
IBM and Tivoli was contacted 19 June, 2001
This vulnerability was found during a PenTest by
Patrik Karlsson and Rikard Carlsson
patrik.karlsson@ixsecurity.com
rikard.carlsson@ixsecurity.com
- ----------------------------
iXsecurity is a Swedish and U.K. based tiger team that has worked
with computer-related security since 1982 and done network
penetration tests and technical audits since 1995. iXsecurity is
hiring in Sweden and the United Kingdom. Call Christer Stafferod
on +46(0)8 6621070 ( mailto:christer@ixsecurity.com ) for more
information.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBO1gvcu0UT89+sfzcEQIkVACeLD1dUpsCw6oUOvgkYFDyfetwcrgAoPcb
3fngsDbc+EQGVz8Ce/oHrLCa
=cFSE
-----END PGP SIGNATURE-----
