PR08-09: Unauthenticated File Retrieval on Sun Java System Identity Manager "ext" parameter Date Found: 25th April 2008 Vendor Contacted: 28th April 2008 Date Public: 10th November 2008 Severity: High Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com). ProCheckUp thanks Sun for working with us. Description: Sun Java System Identity Manager is vulnerable to *unauthenticated* file retrieval a.k.a. directory traversal within the "ext" parameter processed by the "/idm/includes/helpServer.jsp" server-side script. Consequences: Any files can be retrieved from the target server provided that the attacker knows its location on the filesystem. No authentication is required to exploit this vulnerability. Proof of concept (PoC): _Due to the severity of this issue, ProCheckUp will keep the PoC private until all Sun Identity Manager customers are given enough time to update._ Successfully tested on: Server environment: Windows Server 2003, Standard Apache Tomcat/5.0.28 Sun Java System Identity Manager 6.0 (20061212 SP 2) Note: the version of Sun Java SIM can be obtained from the HTML source code of the user login page: "/idm/user/login.jsp" i.e.: [snip] <a onmouseover="return overlib('Open <b>Help</b><br>Version &nbsp;Sun Java System Identity Manager 6.0 (20061212 SP 2)', FGCOLOR, '#F5F5DC', BGCOLOR, '#000000', DELAY, '750')" [snip] References: http://www.sun.com/software/products/identity_mgr/index.xml http://www.procheckup.com/Vulnerabilities Fix: Apply the patches released by Sun. This vulnerability has been filed as Sun Bugzilla bug 18653. For more information please see http://sunsolve.sun.com/search/document.do?assetkey=1-26-243386-1 Legal: Copyright 2008 ProCheckUp Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.