------ README ------ Date: December 19, 2003 Patch: P410A-02M Component: IBM Directory Server 4.1, FP2 (Server Installations) General Description: Fixes for security vulnerabilities in IDS webadmin Problem Tracking Information: New in P410A-02M - APAR IR52841 (CMVC 82973) Abstract: Webadmin Scripting Vulnerability Scripting code passed as an invalid cgi parameter is not sanitized in resulting "IException" message. Identified in BugTraq ID: 9140 ( see http://www.securityfocus.com/bid/9140 ) previously fixed in P410A-02L - APAR IR52692 (CMVC 82822) Abstract: Problem with ldacgi ldacgi can be used to view (but not change) any file readable by user 'ldap' on the host system. Platforms(s): AIX Dependencies: IBM Directory Server 4.1 with fixpack 2 installed Patch Contents: The archive for this patch is named P410A-02M.tar and installs the following files: Filename bytes cksum sum -r ======================= ======= ========== ====== bin/P410A-02MReadme.txt ---- ---------- ----- bin/P410A-02M.txt 54 371154155 20014 web/cgi-bin/ldacgi3d.exe 2109946 1642798921 58128 web/cgi-bin/ldacgi3e.exe 2114682 3286542318 46119 web/cgi-bin/ldacgid.exe 5797922 2245936890 34511 web/cgi-bin/ldacgie.exe 5800610 1227924350 59700 Installing the patch: 1) untar the patch file to a directory with at least 30 MB free space. This will create a new subdirectory "P410A-02M" containing the following files: installPatch.sh rejectPatch.sh P410A-02MReadme.txt data 2) Login as root (su) 3) Run P410A-02M/installPatch.sh Uninstalling the patch: 1) Login as root (su) 2) Run P410A-02M/rejectPatch.sh Contents of P410A-02M.txt: IBM Directory Release: aus41ldap Build: 031212a ------------- END OF README -------------