Return-Path: <sentto-279987-3662-1004492928-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 30 Oct 2001 17:53:08 -0800 (PST) Received: (qmail 31814 invoked by uid 510); 31 Oct 2001 01:51:35 -0000 Received: from n9.groups.yahoo.com (216.115.96.59) by 204.181.12.215 with SMTP; 31 Oct 2001 01:51:35 -0000 X-eGroups-Return: sentto-279987-3662-1004492928-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by n9.groups.yahoo.com with NNFMP; 31 Oct 2001 01:48:49 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 31 Oct 2001 01:48:48 -0000 Received: (qmail 15575 invoked from network); 31 Oct 2001 01:48:48 -0000 Received: from unknown (10.1.10.142) by m8.onelist.org with QMQP; 31 Oct 2001 01:48:48 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3 with SMTP; 31 Oct 2001 01:48:48 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9V1msY19563 for iwar@onelist.com; Tue, 30 Oct 2001 17:48:54 -0800 Message-Id: <200110310148.f9V1msY19563@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 30 Oct 2001 17:48:54 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Manpower.Japan.Potential.Personal.Information.Leak.Vulnerability] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit ---------------------------------------------------------------------- SNS Advisory No.45 Manpower Japan Potential Personal Information Leak Vulnerability Problem first discovered: Fri, 22 Jun 2001 Published: Tue, 30 Oct 2001 ---------------------------------------------------------------------- Type of Document: ----------------- Discovery of a security issue and report of a solution Overview: --------- A vulnerability was found in Manpower Japan homepage that could lead to disclosure of registered personal information. Problem Description: -------------------- Although it is required to authenticate username and password in order to make references and/or update personal information, some parts of the session management were not processed properly. It was possible to have access to other profiles by simply modifying the following parameter included in the link that allows for update of personal information: CandID=100003034 to CandID=100003035 Solution: --------- This problem was reported immediately after discovery to those in charge so that appropriate measures could be taken. Thus, the affected session management has already been fixed (October 29, 2001). Discovered by: -------------- Nobuo Miwa (LAC) <a href="mailto:n-miwa@lac.co.jp?Subject=Re:%20[SNS%20Advisory%20No.45]Manpower%20Japan%20Potential%20Personal%20Information%20Leak%20Vulnerability%2526In-Reply-To=%2526lt;20011030175411.AE6E.SNSADV@lac.co.jp">n-miwa@lac.co.jp</a> Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory(in preparation now): http://www.lac.co.jp/security/english/snsadv_e/45_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <<a href="mailto:snsadv@lac.co.jp?Subject=Re:%20[SNS%20Advisory%20No.45]Manpower%20Japan%20Potential%20Personal%20Information%20Leak%20Vulnerability%2526In-Reply-To=%2526lt;20011030175411.AE6E.SNSADV@lac.co.jp" >snsadv@lac.co.jp</a> Computer Security Laboratory, LAC http://www.lac.co.jp/security/ ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:58 PST