SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   IBM Tivoli Provisioning Manager Vendors:   IBM
IBM Tivoli Provisioning Manager Express Input Validation Hole Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1019045
SecurityTracker URL:  http://securitytracker.com/id/1019045
CVE Reference:   CVE-2007-6407, CVE-2007-6408   (Links to External Site)
Updated:  Dec 18 2007
Original Entry Date:  Dec 5 2007
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information


Description:   Two vulnerabilities were reported in IBM Tivoli Provisioning Manager Express. A remote user can conduct cross-site scripting attacks. A remote user can determine valid usernames.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the IBM Tivoli Provisioning Manager software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine valid usernames by exploiting the function for creating new users.

Michal Bucko from Eleytt Research reported these vulnerabilities.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the IBM Tivoli Provisioning Manager software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine valid usernames

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ibm.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  [ELEYTT] Public Advisory 05-12-2007



Eleytt Research
www.eleytt.com



Overview:
====================
Michal Bucko, Eleytt, www.eleytt.com/michal.bucko
Tomasz Polis, Eleytt


Credit:
====================

Michal Bucko, Eleytt, www.eleytt.com/michal.bucko

Mateusz Jurczyk (in cooperation with Eleytt Research,
for Gadu-Gadu "emots.txt" vulnerability)




Vulnerability Table
===================

1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site
Scripting Vulnerabilities
2. IBM Tivoli Provisioning Manager Express Remote Username
Enumeration Weakness
3. Computer Associates eTrust Threat Management Console
IP Address HTML Injection Weakness
4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service
Vulnerability
5. Gadu-Gadu Remote User Addition Vulnerability



Vulnerability found by Mateusz Jurczyk (j00ru)
working with Eleytt Research
=============================================================

Disclaimer: Eleytt Research cooperates with external security
researchers.


6. Gadu-Gadu "emots.txt" Arbitrary Code Execution Vulnerability








Vulnerability Details
=========================
=========================


1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site
Scripting Vulnerabilities
===========================================================

IBM Tivoli Provisioning Manager Express (http://127.0.0.1/tpmx) is
vulnerable to multiple cross-site scripting vulnerabilities, e.g.
assess modification, user-id etc. are not properly sanitized. This
might lead to remote java script code execution (cookie theft,
redirection, HTML injection etc.) Error processing is also vulnerable
to cross-site scripting.



2. IBM Tivoli Provisioning Manager Express Remote Username
Enumeration Weakness
=======================================================

IBM Tivoli Provisioning Manager Express is vulnerable to
remote username enumeration vulnerability. When trying to
create a new user with 'username' value that already exists,
one receives certain information about the problem. The problem
is even more serious as the login page is not crawler-protected,
thus automated brute-force attacks on certain acccounts might
be possible. This might lead to further attacks based on
the information obtained.


3. Computer Associates eTrust Threat Management Console
IP Address HTML Injection Weakness
====================================================

IP Address (and various other) are prone to HTML injection
weakness. No exploit is required. Further investigation has
not been performed, other weaknesses might also be possible.




4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service
Vulnerability
=========================================================

Improper "skin" attribute handling by the (by default) registered
protocol handler (gadu-gadu protocol "gg") leads to resource
consumption based denial of service conditions. Gadu Gadu cannot
be running on the remote machine, only installed. The vulnerability
might be exploited via a web browser. The attacker should entice
the unaware victim to open a specially crafted link.



More verbose information has been provided directly to Gadu-Gadu.



5. Gadu-Gadu Remote Unspecified User Addition Vulnerability
========================================================

Popular communicator allows remote user addition as the result
of improper protocol handling (protocol handler "gg" is registered
by default). The vulnerability might be exploited via a web browser.
The attacker should lead to unaware victim opening the specially
crafted link. It might be also possible to send gadu-gadu request
from unauthorized users, but this has not been proven nor confirmed
yet.

This vulnerability might also allow to perform denial of service
attacks under certain conditions.


More verbose information has been provided directly to respective
software vendor.






Eleytt Research cooperates with external security researchers!
==============================================================
==============================================================



6. Gadu-Gadu "emots.txt" Arbitrary Code Execution Vulnerability
============================================================

The vulnerability has already been disclosed by a 3rd party
security research team, in cooperation with Eleytt Research.
Mateusz Jurczyk (j00ru) in cooperation with Eleytt Research
is credited with the discovery of the vulnerability.

This vulnerability has already been disclosed and vendor has
been given provided with information.









Meet Our Business Continuity Program!
=====================================

Eleytt offers Eleytt Business Continuity Program. What is it?

- Long-term continous security audits
- Security consulting and training
- Security policy compliance issues

For more information, please refer to eleytt.com, http://www.eleytt.com





Eleytt - Company Information
============================

Eleytt Corporation is specialized in penetration testing, vulnerability
development, advanced reverse engineering and exploitation techniques.
Eleytt provides various security-related services: risk assessment,
security policy, security assurance, incident management, web
application security testing, continuous security assurance programs.
Eleytt provides security audits for financial institutions and e-commerce.
Eleytt provides an in-depth security analysis - experienced security
experts analyze your source code, analyze your application, analyze your
web application. Eleytt runs security programs for financial institutons
and e-commerce.

We have the mission to improve the security level of software and web
applications. It is us who help you implement more secure applications.
We help you understand the risk and deploy security solutions. We help
you avoid costly business disruptions.




These are the questions, which might help you understand how we work:
=====================================================================

Want to get your web site checked for security vulnerabilities?

Your server requires real penetration testing?

Interested in Eleytt Business Continuity Program?

Interested in Eleytt Application Security Program?

For more information, please use:

http://www.eleytt.com








DISCLAIMER
==========

This document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether
express or implied.

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC