IBM WebSphere Application Server doGet/doTrace Method Flaw Lets Remote Users Bypass Security Restrictions
|
|
SecurityTracker Alert ID: 1022862 |
|
SecurityTracker URL: http://securitytracker.com/id/1022862
|
|
CVE Reference:
CVE-2009-3106
(Links to External Site)
|
Date: Sep 9 2009
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 6.0 prior to 6.0.2.37
|
Description:
A vulnerability was reported in IBM WebSphere Application Server. A remote user can bypass security restrictions.
The software does not properly handle security controls on the doGet and doTrace methods. A remote user can send a specially crafted HTTP HEAD request to a target application that only specifies protection contraints for GET and POST requests to bypass security restrictions.
|
Impact:
A remote user can bypass security restrictions in certain cases.
|
Solution:
The vendor has issued a fix (APAR PK83258; Fix Pack 37 (6.0.2.37)).
The vendor's advisory is available at:
http://www-01.ibm.com/support/docview.wss?uid=swg27006876
|
Vendor URL: www-01.ibm.com/support/docview.wss?uid=swg27006876 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 8 Sep 2009 23:27:44 -0400
Subject: IBM WebSphere Application Server
|
PK83258 doHead doGet issues
CVE-2009-3106
XFID 53051
|
|
