Sun Java System Portal Server Proxy Authentication Flaw Grants Calendar Data Access to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1010756 |
|
SecurityTracker URL: http://securitytracker.com/id/1010756
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 22 2004
|
Impact:
Disclosure of user information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 6.2
|
Description:
A vulnerability was reported in the Sun Java System Portal Server in the Calendar Server. A remote authenticated user can gain access to calendar data when proxy authentication is enabled.
Sun reported that a remote authenticated user can gain Calendar Server administrator credentials if the user changes the display options to select a non-default view. This allows the user to have unrestricted read and write access to the calendar data.
The system is only affected if Admin Proxy Authentication is configured on the Calendar Server and if Calendar access is provided via the "Portal" communication channel and not the "Unified Web Client" or the "Calendar Web Client".
|
Impact:
A remote authenticated user can gain read and write access to calendar data.
|
Solution:
Sun has issued the following fixes:
SPARC Platform
Sun Java System Portal Server Software 6.2 with patch 116856-10 or later
X86 Platform
Sun Java System Portal Server Software 6.2 with patch 117757-09 or later
As a workaround, Sun indicates that you can prohibit end users from editing the calendar channels "calendar" or "view" display profile properties when Admin Proxy Authentication is enabled.
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57586 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Red Hat Enterprise), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 22 Jul 2004 12:59:00 -0400
Subject: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57586
|
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57586
57586 Proxy Authentication to Calendar Server Fails if Portal Display Preferences Are
Changed 21 Jul 2004
Sun reported that a remote authenticated user can gain Calendar Server administrator
credentials if the user changes the display options to select a non-default view. This
allows the user to have unrestricted access to the calendar data.
Sun Java System Portal Server Software 6.2 (for Solaris 8 and Solaris 9) is affected, but
only if Admin Proxy Authentication is configured on the Calendar Server and if Calendar
access is provided via the "Portal" communication channel and not the "Unified Web Client"
or the "Calendar Web Client".
As a workaround, Sun indicates that you can prohibit end users from editing the calendar
channels "calendar" or "view" display profile properties when Admin Proxy Authentication
is enabled.
Sun has issued the following fixes:
SPARC Platform
Sun Java System Portal Server Software 6.2 with patch 116856-10 or later
X86 Platform
Sun Java System Portal Server Software 6.2 with patch 117757-09 or later
-----
Sun Alert ID: 57586
Synopsis: Proxy Authentication to Sun ONE Calendar Server May Fails if Portal Display
Preferences Are Changed
Category: Security
Product: Sun Java System Portal Server Software
BugIDs: 5014142
Avoidance: Workaround, Patch
State: Resolved
Date Released: 21-Jul-2004
Date Closed: 21-Jul-2004
Date Modified:
|
|
