Cyclades AlterPath Manager Arbitrary Console Connection
Product:
AlterPath Manager (APM) Console Server
Released:
01/23/2005
Description:
AlterPath Manager (APM) allows any connected user to access any console, ignoring access restrictions connected to the AlterPath.
Systems Affected:
AlterPath Manager 1.1.0
AlterPath Manager 1.2.1 and 1.2.0 partially affected
Technical Description:
Access restrictions in the APM prevent users from seeing consoles they are not allowed to connect to. However, this can be bypassed by simply specifying any
console's name in the consoleConnect.jsp URL. Once the URL is changed and loaded, the user will be taken directly to the console.
Example (substitute "console_name" with the real name of a console defined in the APM):
Note: In versions 1.2.0 and 1.2.1 of the APM, the user must have at one time been authorized to access the console, and have actually connected to it via the web interface. If the user's access to that console is removed, they are still able to access the console via URL modification.
Fix/Workaround:
This issue was partially corrected in APM release 1.2.0 (see Technical Note above). A patch for APM v1.2.1 is available at ftp://ftp.cyclades.com/pub/cyclades/alterpath/e2000/released/V_1.2.1/pat...
Vendor Status:
- Cyclades was notified on 12/13/2004 and confirmed receipt on 12/14/2004.
- Cyclades responded to an inquiry on 1/20/2005 to confirm version 1.2.5 would address this issue.
- Cyclades responded to an inquiry on 2/15/2005 to state they still did not have a release date, but did not respond with more information.
- Released on 2/23/2005.
- Cyclades responded on 2/25/2005 to clear up version information, provide information on v1.2.1 for this vulnerability, and notify of patch release.
Contacts:
sullo@cirt.net
References:
Updated information can be found on OSVDB.org under the following entries:
| OSVDB-14075 | Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console Connection |
Updates: