[23021] in bugtraq

home help back first fref pref prev next nref lref last post

[SNS Advisory No.45]Manpower Japan Potential Personal Information Leak Vulnerability

daemon@ATHENA.MIT.EDU (snsadv@lac.co.jp)
Tue Oct 30 12:25:54 2001

Date: Tue, 30 Oct 2001 17:54:38 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com
Message-Id: <20011030175411.AE6E.SNSADV@lac.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

----------------------------------------------------------------------
SNS Advisory No.45
Manpower Japan Potential Personal Information Leak Vulnerability

Problem first discovered: Fri, 22 Jun 2001
Published: Tue, 30 Oct 2001
----------------------------------------------------------------------
 
Type of Document:
-----------------
  Discovery of a security issue and report of a solution

Overview:
---------
  A vulnerability was found in Manpower Japan homepage that could lead
  to disclosure of registered personal information.

Problem Description: 
--------------------
  Although it is required to authenticate username and password in order 
  to make references and/or update personal information, some parts of
  the session management were not processed properly.  It was possible
  to have access to other profiles by simply modifying the following 
  parameter included in the link that allows for update of personal 
  information:

  CandID=100003034 

  to

  CandID=100003035

Solution:
---------
  This problem was reported immediately after discovery to those in
  charge so that appropriate measures could be taken.  Thus, the 
  affected session management has already been fixed (October 29, 2001).

Discovered by:
--------------
  Nobuo Miwa (LAC)  n-miwa@lac.co.jp

Disclaimer:
-----------
  All information in these advisories are subject to change without any 
  advanced notices neither mutual consensus, and each of them is released 
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences 
  caused by applying those information. 

References
----------
  Archive of this advisory(in preparation now):
  http://www.lac.co.jp/security/english/snsadv_e/45_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/
home help back first fref pref prev next nref lref last post