IBM FileNet Application Engine URL-based Session IDs May Let Remote Users Hijack User Sessions
|
|
SecurityTracker Alert ID: 1024456 |
|
SecurityTracker URL: http://securitytracker.com/id/1024456
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 16 2010
|
Impact:
Modification of authentication information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.0.2.7 and prior versions
|
Description:
A vulnerability was reported in IBM FileNet Application Engine. A remote user may be able to hijack user sessions.
The system supports session IDs in the URL. A remote user may be able to conduct session fixation attacks to hijack a target user's session.
|
Impact:
A remote user may be able to hijack user sessions.
|
Solution:
The vendor has issued a fix (APAR PJ37346; 4.0.2.7-P8AE-FP007).
The vendor's advisory is available at:
http://download2.boulder.ibm.com/sar/CMA/IMA/00y3y/0/readme-4027-P8AE-FP007.htm
|
Vendor URL: download2.boulder.ibm.com/sar/CMA/IMA/00y3y/0/readme-4027-P8AE-FP007.htm (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 16 Sep 2010 20:11:38 +0000
Subject: IBM FileNet Application Engine
|
http://download2.boulder.ibm.com/sar/CMA/IMA/00y3y/0/readme-4027-P8AE-FP007.htm
APAR PJ37346
Workplace has a potential security vulnerability related to session fixation, where the session ID is no longer visible in the URL.
|
|
