Vulnerabilities > CVE-2008-5118 - Multiple vulnerability in SUN Java System Identity Manager 6.0/7.0/7.1
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE network
sun
Summary
Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to inject frames from arbitrary web sites and conduct phishing attacks via unspecified vectors, related to "frame injection."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 32262 CVE(CAN) ID: CVE-2008-5117,CVE-2008-5118,CVE-2008-5116,CVE-2008-5115,CVE-2008-5114 Sun Java System Identity Manager是一个完整的端到端的保护敏感数据和管理标识配置文件与许可的解决方案。 Identity Manager的/idm/includes/helpServer.jsp服务器端脚本没有正确地验证ext参数,未经认证的远程攻击者可以通过向服务器提交恶意请求执行目录遍历攻击,检索文件系统上任意已知位置上的文件。 Identity Manager的update password功能(/idm/admin/changeself.jsp)中存在跨站请求伪造漏洞。由于没有使用不可预测的值来分解update password请求,也没有对管理用户要求输入之前的口令,因此如果管理用户在认证到Identity Manager期间如果受骗访问了恶意的HTML页面的话就可能导致劫持管理帐号。 此外跨站脚本漏洞可能在用户点击到Identity Manager的链接时允许本地或远程非特权用户在用户浏览器中执行非授权的脚本代码;两个额外漏洞可能允许本地或远程非特权用户将浏览器重新定向到非预期的远程站点或注入包含有非预期站点数据的帧。 0 Sun Java System Identity Manager 7.1 Sun Java System Identity Manager 7.0 Sun Java System Identity Manager 6.0 SP4 Sun Java System Identity Manager 6.0 SP3 Sun Java System Identity Manager 6.0 SP2 Sun Java System Identity Manager 6.0 SP1 Sun Java System Identity Manager 6.0 Sun --- Sun已经为此发布了一个安全公告(Sun-Alert-243386)以及相应补丁: Sun-Alert-243386:Multiple Security Vulnerabilities in Sun Java System Identity Manager http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-243386-1 |
id | SSV:4478 |
last seen | 2017-11-19 |
modified | 2008-11-21 |
published | 2008-11-21 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-4478 |
title | Sun Java System Identity Manager目录遍历及跨站请求伪造漏洞 |
References
- http://osvdb.org/49769
- http://secunia.com/advisories/32606
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-243386-1
- http://www.securityfocus.com/bid/32262
- http://www.securitytracker.com/id?1021170
- http://www.vupen.com/english/advisories/2008/3128
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46555