HTTP admin interface flaw found in Sun directory server

By Eric B. Parizo, News Editor 10 Oct 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A newly discovered flaw in Sun Microsystems Inc.'s LDAP-based directory server could allow unauthorized users to tamper with the system and execute arbitrary commands.

According to an advisory published Friday by the French Security Incident Response Team (FrSIRT) and confirmed by Danish security monitoring Web site Secunia, Sun's Java System Directory Server version 5.2, including patch 3 and prior patches, is vulnerable to an unspecified error in the HTTP admin interface that improperly handles uniquely crafted requests.

FrSIRT writes that, as a result, it is possible for remote attackers to use such requests to gain unauthorized access to a susceptible system and perform malicious actions.

Secunia has classified the problem as moderately critical. It was reportedly exposed by Peter Winter-Smith of UK-based vulnerability assessment firm NGS Software Ltd.

Affected users can eradicate the vulnerability by upgrading to System Directory Server 5.2 patch 4.

According to Sun, the Java System Directory Server is the most widely deployed general-purpose directory server based on Lightweight Director Access Protocol, with more than 1.5 billion entries. Used by enterprises to manage large volumes of user information, it is a software component of Sun's Java Identity Management Suite, the vendor's toolset for managing and securing network identity data.

Tags: Active Directory and LDAP Security,  Enterprise Single Sign-On (SSO),  Web Authentication and Access Control,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Active Directory and LDAP Security How to edit group policy objects to give a user local admin rights Using IAM tools to improve compliance Ease the compliance burden with automation Changing times for identity management Product Review: Symark PowerADvantage 1.5 Do the Group Policy Object and 'Password Never Expires' flag interact? Directory services and beyond: The future of LDAP What are the benefits of identity managed as a service? Enterprise role management: Trends and best practices Identity Management Suites Enable Integration, Interoperability Active Directory and LDAP Security Research Enterprise Single Sign-On (SSO) How to log in to multiple servers with federated single sign-on (SSO) Security on a budget: How to make the most of authentication tools Best Identity and Access Management Products Changing times for identity management Kerberos configuration as an authentication system for single sign-on How to use single sign-on for Web access control to prevent malware Learn about enterprise strategy for server virtualization single sign-on Enterprise single sign-on: Easing the authentication process Exploring authentication methods: How to develop secure systems User provisioning and SSO for PeopleSoft- and Unix-based products Enterprise Single Sign-On (SSO) Research Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary user profile  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary