SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Novell Identity Manager Vendors:   Novell
(Novell Issues Advisory for Identity Manager) JBoss Application Server Error in DeploymentFileRepository Class Lets Remote Users Read and Write Files
SecurityTracker Alert ID:  1017622
SecurityTracker URL:  http://securitytracker.com/id/1017622
CVE Reference:   CVE-2006-5750   (Links to External Site)
Date:  Feb 12 2007
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0, 3.0.1 SP1
Description:   A vulnerability was reported in JBoss Application Server. A remote user can view or write files on the target system. Novell Identity Manager is affected.

The setBaseDir() method of the DeploymentFileRepository class does not properly validate the basedir setting. A remote user can connect to the console manager to read or write arbitrary files on target system with the privileges of the JBoss user account.

Symantec reported this vulnerability to the vendor.

The original bug report is available at:

http://jira.jboss.com/jira/browse/JBAS-3861

Impact:   A remote user can view or write files on the target system.
Solution:   Novell has issued an advisory for Novell Identity Manager UserApplication, which includes JBoss and is affected by the JBoss vulnerability.

Novell recommends removing the vulnerable service and securing JBoss using procedures described in their advisory.

The Novell advisory is available at:

https://secure-support.novell.com/KanisaPlatform/Publishing/719/3024921_f.SAL_Public.html

Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 27 2006 JBoss Application Server Error in DeploymentFileRepository Class Lets Remote Users Read and Write Files



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC