A vulnerability in Hewlett-Packard's OpenView Select Access threatens to allow remote attackers to bypass restrictions and access enterprise resources. Administrators need to apply patches to fix the problem, which is only the latest of a number of recent HP OpenView vulnerabilities.
HP's OpenView Select Access is designed to manage user identities and provide secure Web-based access to network and enterprise resources. Select Access has a problem decoding URL inputs that contain Unicode characters encoded with UTF-8.This can allow remote attackers to use URLs containing special characters to bypass some access restrictions to resources. The problem is known to affect HP OpenView Select Access versions 5.x and 6.x. HP has released patches.
This is only the latest vulnerability to affect OpenView. Other previously-reported problems in the past six months have included at least two more security bypass issues, as well as denial of service difficulties.
However, security bypass is emerging as a widespread problem in many applications besides Select Access. Since the beginning of 2004, there have been at least a dozen significant examples. Affected applications have included Apache, BEA WebLogic, eTrust Antivirus, F-Secure Anti-Virus, Microsoft Internet Explorer and Microsoft Outlook. When exploited remotely, security bypass can be a stepping stone for attackers to do more serious damage to systems.