Product:
AlterPath Manager (APM) Console Server
Released:
01/23/2005
Description:
AlterPath Manager (APM) allows any connected user to access any console, ignoring access restrictions connected to the AlterPath.
Systems Affected:
AlterPath Manager 1.1.0
AlterPath Manager 1.2.1 and 1.2.0 partially affected
Technical Description:
Access restrictions in the APM prevent users from seeing consoles they are not allowed to connect to. However, this can be bypassed by simply specifying any
console's name in the consoleConnect.jsp URL. Once the URL is changed and loaded, the user will be taken directly to the console.
Example (substitute "console_name" with the real name of a console defined in the APM):
Note: In versions 1.2.0 and 1.2.1 of the APM, the user must have at one time been authorized to access the console, and have actually connected to it via the web interface. If the user's access to that console is removed, they are still able to access the console via URL modification.
Fix/Workaround:
This issue was partially corrected in APM release 1.2.0 (see Technical Note above). A patch for APM v1.2.1 is available at ftp://ftp.cyclades.com/pub/cyclades/alterpath/e2000/released/V_1.2.1/pat...
Vendor Status:
Contacts:
sullo@cirt.net
References:
Updated information can be found on OSVDB.org under the following entries:
OSVDB-14075 | Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console Connection |
Updates: