PT-2011-3401 · Ibm · Ibm Rational Build Forge

Published

2011-04-28

Updated

2017-08-17

CVE-2011-1839

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions IBM Rational Build Forge version 7.1.0

Description The issue allows context-dependent attackers to discover session IDs by reading web-server access logs, web-server Referer logs, or the browser history. This is due to the use of the HTTP GET method during redirection from the authentication servlet to a PHP script.

Recommendations For IBM Rational Build Forge version 7.1.0, consider modifying the authentication process to use a more secure method, such as the HTTP POST method, to prevent session IDs from being logged or stored in the browser history. As a temporary workaround, restrict access to web-server logs and the browser history to minimize the risk of session ID discovery.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2011-1839

Affected Products

Ibm Rational Build Forge

PT-2011-3401 · Ibm · Ibm Rational Build Forge

CVE-2011-1839

Weakness Enumeration

Related Identifiers

Affected Products

References · 4