---------------------------------------------------------------------- SNS Advisory No.45 Manpower Japan Potential Personal Information Leak Vulnerability Problem first discovered: Fri, 22 Jun 2001 Published: Tue, 30 Oct 2001 ---------------------------------------------------------------------- Type of Document: ----------------- Discovery of a security issue and report of a solution Overview: --------- A vulnerability was found in Manpower Japan homepage that could lead to disclosure of registered personal information. Problem Description: -------------------- Although it is required to authenticate username and password in order to make references and/or update personal information, some parts of the session management were not processed properly. It was possible to have access to other profiles by simply modifying the following parameter included in the link that allows for update of personal information: CandID=100003034 to CandID=100003035 Solution: --------- This problem was reported immediately after discovery to those in charge so that appropriate measures could be taken. Thus, the affected session management has already been fixed (October 29, 2001). Discovered by: -------------- Nobuo Miwa (LAC) n-miwa@lac.co.jp Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory(in preparation now): http://www.lac.co.jp/security/english/snsadv_e/45_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
