SERIOUS SECURITY HOLE

Hello,

We have found a very very serious security hole in application manager.

Basically, accessing any a URL as follows:

http://192.168.0.xx/HostResource.do?name=HOSTNAME&haid=null&appName=null&resourceid=1298#

(change HOSTNAME to one of your monitored servers & the resourceid= may need to match a valid ID (but still lets you in anyway))

The above allows ANYONE, even without having accessed the site previously to view whatever information they like, password and cookies are by-passwd/ignored).

I have not checked with your configuration can be altered (e.g. to delete monitor groups etc.)

Please fix this problem ASAP.

Albert.

Topic Participants
agraham_me
app_support

SERIOUS SECURITY HOLE

SERIOUS SECURITY HOLE

Topic Participants

agraham_me

app_support