COMMAND

    Tivoli SecureWay Policy Director

SYSTEMS AFFECTED

    Tivoli SecureWay Policy Director 3.01, 3.6, 3.7 and 3.7.1.

PROBLEM

    Following is based on  a iXsecurity Security Vulnerability  Report
    20010618.  Web  Seal Policy director  does not handle  URLs in hex
    code  correct.   It  is  possible  to  perform  web  traversals by
    appending %2e, to access the underlying web server.

    It is possible to  view all files on  the server and exploit  some
    of the web server vulnerabilities.

    This exposure exists on Tivoli SecureWay Policy Director  versions
    3.01,  3.6,  3.7  and  3.7.1.   This  exposure  only occurs on the
    Tivoli SecureWay Policy Director WebSEAL proxy server, running  on
    any  of  the  Web  server  operating  systems,  which  consist of:
    HP-UX,IBM AIX, Sun Solaris, Microsoft Windows NT, or Windows 2000.

    The  IBM/Tivoli  Web  Seal  Policy  director is supposed to gather
    all  directories  on  several  web  servers that users are allowed
    to access and present  them as a logical  web server.  The  policy
    director is  supposed to  seal users  into pre-defined directories
    on the web server  according to the company  policy.  If you  make
    connections to the web server on port 80 the Web Seal is answering
    and  tries  to  lock  you  into  the  pre-defined  directory.   By
    appending /%2e%2e/%2e%2e you are escaping the policy director  and
    are able to  perform directory traversals  and viewing most  files
    on the  system as  well as  be able  to exploit vulnerabilities in
    the web server.  iXsecurity was  able to exploit the good old  RDS
    vulnerability by patching Rain Forest Puppys' msadc.pl script.

    This vulnerability was found  during a PenTest by  Patrik Karlsson
    and Rikard Carlsson.

SOLUTION

    Install  the  patch  for  Tivoli  SecureWay Policy Director.  This
    patch  is  available  now  and  corrects  the potential problem by
    enhancing the URL access control verification being performed:

        ftp://ftp.tivoli.com/support/patches/patches_3.0.1/3.0.1-POL-0001
        ftp://ftp.tivoli.com/support/patches/patches_3.6/3.6-POL-0011
        ftp://ftp.tivoli.com/support/patches/patches_3.7.1/3.7.1-POL-0003
        ftp://ftp.tivoli.com/support/patches/patches_3.7.1/3.7.1-POL-0003