------ README ------ Date: December 19, 2003 Patch: P410S-02M Component: IBM Directory Server 4.1, FP2 (Server Installations) General Description: Fixes for security vulnerabilities in IDS webadmin Problem Tracking Information: New in P410S-02M - APAR IR52841 (CMVC 82973) Abstract: Webadmin Scripting Vulnerability Scripting code passed as an invalid cgi parameter is not sanitized in resulting "IException" message. Identified in BugTraq ID: 9140 ( see http://www.securityfocus.com/bid/9140 ) - APAR IR52692 (CMVC 82822) Abstract: Problem with ldacgi ldacgi can be used to view (but not change) any file readable by user 'ldap' on the host system. Platforms(s): Solaris Dependencies: IBM Directory Server 4.1 with fixpack 2 installed Patch Contents: The archive for this patch is named P410S-02M.tar and installs the following files: Filename bytes cksum sum -r ================================= ======= ========== ====== IBMldaps/bin/P410S-02MReadme.txt ------- ---------- ----- IBMldaps/bin/P410S-02M.txt 54 371154155 20014 IBMldaps/web/cgi-bin/ldacgi3e.exe 1741600 2648274827 55503 IBMldaps/web/cgi-bin/ldacgie.exe 5616520 1010515921 42918 Installing the patch: 1) untar the patch file to a directory with at least 20 MB free space. This will create a new subdirectory "P410S-02M" containing the following files: installPatch.sh rejectPatch.sh P410S-02MReadme.txt data 2) Login as root (su) 3) Run P410S-02M/installPatch.sh Uninstalling the patch: 1) Login as root (su) 2) Run P410S-02M/rejectPatch.sh Contents of P410S-02M.txt: IBM Directory Release: aus41ldap Build: 031212a ------------- END OF README -------------