------
README
------

Date:    January 12, 2003


Patch:  P411W-02M


Component: IBM Directory Server 4.1, FP2 (Server Installations)



General Description:

   Fixes for security vulnerabilities in IDS webadmin


Problem Tracking Information:


   New in P411W-02M

      -  APAR IR52841 (CMVC 82973)

         Abstract:   Webadmin Scripting Vulnerability
         
                     Scripting code passed as an invalid cgi parameter 
                     is not sanitized in resulting "IException" message. 

                     Identified in BugTraq ID: 9140
                     ( see http://www.securityfocus.com/bid/9140 )
                     
                     
   previously fixed in P411W-02L

      -  APAR IR52692 (CMVC 82822)

         Abstract:   Problem with ldacgi
         
                     ldacgi can be used to view (but not change) any file 
                     readable by user 'ldap' on the host system. 


Platforms(s):

    Windows


Dependencies:

    IBM Directory Server 4.1.1 with fixpack 2 installed


Patch Contents:

   The archive for this patch is named P411W-02M.tar and installs the 
   following files:

   Filename                   bytes       cksum  sum -r
   =======================  =======  ==========  ======
   bin\P411W-02MReadme.txt     ----  ----------  -----
   bin\P411W-02M.txt             55  3369896007  42786
   web\cgi-bin\ldacgi.exe   3074560  1473273128  28221
   web\cgi-bin\ldacgi3.exe  1451008  2450601794  22322


Installing the patch:

   1) untar the patch file to a directory with at least 7 MB free space.
      This will create a new subdirectory "P411W-02M" containing the 
      following files:
      
         installPatch.bat
         rejectPatch.bat
         P411W-02MReadme.txt
         data

   2) Run P411W-02M/installPatch.bat


Uninstalling the patch:

   1) Run P411W-02M/rejectPatch.bat


Contents of P411W-02M.txt:

   IBM Directory     Release: aus41ldap  Build: 031212a
   
   
-------------
END OF README
-------------