SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   JCSI SSO Suite Vendors:   Wedgetail Communications Pty Ltd.
Wedgetail JCSI Single Sign-On Parsing Flaw May Disable Access Controls in Certain Situations
SecurityTracker Alert ID:  1007453
SecurityTracker URL:  http://securitytracker.com/id/1007453
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 10 2003
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1; 1.0, 1.0.2, and 1.2 are not affected
Description:   A vulnerability was reported in Wedgetail's JCSI Single Sign-On (SSO) application. When an administrator redeploys an application, some access controls may be disabled. This can allow remote users to gain unauthorized access to web applications.

It is reported that the software incorrectly matches patterns in an XML file used to specify standard "<security-constraint>" access control rules for J2EE web applications. The software reportedly matches the "<url-pattern>" tags based on the entire URI rather than the path relative to the Web ARchive file. As a result, security access control rules defined for one context-root may not apply if the application is moved to a different context-root.

Impact:   A remote user may be able to access web applications when the JCSI SSO application has been redeployed to a different context-root.
Solution:   The vendor plans to issue a fix in JCSI SSO version 1.2.

The following workaround can reportedly be used:

Make sure that the URI paths in the policy XML file properly match the deployed context-root in all Web applications protected with JCSI SSO.

Vendor URL:  www.wedgetail.com/support/wsa-20030729-1-0.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.wedgetail.com/support/wsa-20030729-1-0.html


Wedgetail Communications issued a security advisory (WSA-20030729-1-0) warning that the 
redeployment of JCSI SSO applications may disable some access controls.

According to the report, JCSI SSO 1.1 is vulnerable and JCSI SSO versions 1.0, 1.0.2, and 
1.2 are not affected.

The vendor indicates that the software incorrectly matches patterns in an XML file used to 
specify standard "<security-constraint>" access control rules for J2EE web applications. 
The software reportedly matches the "<url-pattern>" tags based on the entire URI rather 
than the path relative to the Web ARchive file.  As a result, security access control 
rules defined for one context-root may not apply if the application is moved to a 
different context-root.

The following workaround can reportedly be used:

Make sure that the URI paths in the policy XML file properly match the deployed 
context-root in all Web applications protected with JCSI SSO.

A fix will be issued in JCSI SSO 1.2.

-----

Type of Advisory:  Medium





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC