HP OpenView Select Access 6.2

HotFix C Readme

This document provides an overview of the changes made to HP OpenView Select Access 6.2 for HotFix C. It contains important information not included in the manuals or in online help. This HotFix may or may not be incorporated into a future release in its present or enhanced form.

CAUTION: This HotFix has been verified. We confirm that all issues documented in this readme have been resolved. However, HP recommends that you apply this update in a test environment before deploying across your Select Access system.

In This Version

This hotfix contains a fix for a critical security issue. URLs containing backslash characters ('\' or %5c) would be interpreted incorrectly by the Select Access IIS Enforcer. IIS internally treats both backslash and forward slash as directory separators. The enforcer did not contain equivalent code, and so would send a request to the validator with an incorrect resource path. This could lead to users accessing resources that they are not normally permitted to access.

Installation Notes

This HotFix updates the following files:

• bin/enforcer32.dll

To update Select Access with HotFix C:

1. Extract the contents of SA62_HotFix_C.zip to a temporary location
2. Stop all Select Access components on each host running the IIS Enforcer (several runtime components use the enforcer32.dll file)
3. rename or backup the existing file <SA_install_path>/bin/enforcer32.dll
4. Copy the replacement enforcer32.dll file to <SA_install_path>/bin/enforcer32.dll
5. Restart Select Access components that were stopped in Step 2.

Version dependencies

This HotFix applies directly on top of Select Access 6.2.

©Copyright 2006 Hewlett-Packard Development Company, L.P

All other product names are the property of their respective trademark or service mark holders and are hereby acknowledged.