Trend Micro ServerProtect Session ID Authentication Bypass Vulnerability

Bugtraq ID:	22662
Class:	Access Validation Error
CVE:	CVE-2007-1168
Remote:	Yes
Local:	No
Published:	Feb 21 2007 12:00AM
Updated:	May 12 2015 07:34PM
Credit:	Damian Put discovered this vulnerability.
Vulnerable:	Trend Micro ServerProtect for Linux
Not Vulnerable:

Trend Micro ServerProtect Session ID Authentication Bypass Vulnerability

Trend Micro ServerProtect is prone to an authentication-bypass vulnerability.

A successful attack can allow an unauthorized attacker to bypass authentication routines and access the application as any logged-in user. The attacker may then carry out other attacks against the vulnerable computer or database.

Note that this vulnerability is not present in any of the Microsoft Windows versions of Trend Micro ServerProtect.

Trend Micro ServerProtect Session ID Authentication Bypass Vulnerability

Attackers can exploit this issue via a web client.

Trend Micro ServerProtect Session ID Authentication Bypass Vulnerability

Solution:
The vendor has released a fix to address this issue; please see the references for more information.


Trend Micro ServerProtect for Linux

• Trend Micro splx_v2.5.i686.zip
  http://www.trendmicro.com/ftp/products/splx/splx_v2.5.i686.zip

Trend Micro ServerProtect Session ID Authentication Bypass Vulnerability

References:

• Trend Micro Homepage (Trend Micro)
  
• Trend Micro ServerProtect for Linux Update (Trend Micro)
  
• iDefense Security Advisory 02.16.07: Trend Micro ServerProtect Web Interface Aut ( iDefense Labs )