Penetration Testing mailing list archives
IBM Websphere Portal Authentication Bypass
From: Eduardo Sierra <esierr4 () gmail com>
Date: Mon, 19 Oct 2009 15:38:51 -0400
Hi List, I'm an IT Risk Auditor, last year we found some documentation, regarding an authentication security bypass vulnerability, afecting IBM Websphere Portal 5.1.0.4. (Our transactional web site runs on it). We failed to raise awaraness about the issue, and after a year the security hole remains. I'm looking for further information on how to exploit it. The purpose of it is to actually log externally to the web site servers, take a few snapshots and file a report, or drop the issue or look at it at a diferent angle. http://www.securityfocus.com/bid/30500 I assume that any attack on this must be some form of url manipulation, sql-injection or hidden parameter tampering, i haven't tested this myself... i'll try setting up a lab Any help will be much apreciated Eduardo Sierra ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- IBM Websphere Portal Authentication Bypass Eduardo Sierra (Oct 19)
- Re: IBM Websphere Portal Authentication Bypass Paul Melson (Oct 21)
- Re: IBM Websphere Portal Authentication Bypass Eduardo Sierra (Oct 21)
- Re: IBM Websphere Portal Authentication Bypass Paul Melson (Oct 21)