IBM Tivoli Access Manager for e-business Directory Traversal Vulnerability


Description   A vulnerability has been reported in IBM Tivoli Access Manager for e-business, which can be exploited by malicious people to disclose system information.
Input passed via the URL is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks using certain character encodings.
The vulnerability is reported in version 6.1.1 running on AIX, Linux, Solaris, and Windows.
     
Vulnerable Products   Vulnerable Software:
IBM Tivoli Access Manager for e-business 6.x
     
Solution   Apply patch 6.1.1-TIV-AWS-FP0001.
     
CVE   CVE-2010-4623
CVE-2010-4622
     
References   IBM:
http://www.ibm.com/support/docview.wss?uid=swg21459999
http://www.ibm.com/support/docview.wss?uid=swg24028829
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2010-12-27 

 Target Type 
Server 

 Possible exploit 
Remote