Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IBM Websphere Portal Authentication Bypass

From: Eduardo Sierra <esierr4 () gmail com>
Date: Thu, 17 Dec 2009 15:39:47 -0400
Hi list,

No luck, Does http://XXXX:XXXX/wps/portal/!ut/p/cxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4g3sdAvyHZUBAAqwx9c
mean something to anyone?

The 04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4g3sdAvyHZUBAAqwx9c part appears
a lot if you google it...what is it?

I find it even in an IBM solution document...,
http://www-01.ibm.com/support/docview.wss?uid=swg21255118

If you have other URL to try authentication bypass please share. My
time is almost up. documentartion could also be usefull but im trying
for the auth bypass.

Best Regards,

Eduardo.



2009/10/21 Eduardo Sierra <esierr4 () gmail com>:

Thanks You Very Much Paul,

I'll check wether 'enable-http-basic-auth-tai-sitemgmt'  it's
configured or not. I have internal admin acces to the server (user and
password don't work externally, auth is done againts an internal
ldap.)

So i'll follow your hint and try to discover a list of URLs from the
admin interface and then see which ones ask for authentication and
which do not. I would have never thought of such aproach. It is a
sound test.

Bests Regards

Eduardo Sierra

2009/10/20 Paul Melson <pmelson () gmail com>:

On Mon, Oct 19, 2009 at 3:38 PM, Eduardo Sierra <esierr4 () gmail com> wrote:

I'm an IT Risk Auditor, last year we found some documentation,
regarding an authentication security bypass vulnerability, afecting
IBM Websphere Portal 5.1.0.4. (Our  transactional web site runs on
it).



If you haven't configured 'enable-http-basic-auth-tai-sitemgmt' you
are unaffected by this bug since remote administration would not be
enabled.

[...]


I assume that any attack on this must be some form of url
manipulation, sql-injection or hidden parameter tampering, i haven't
tested this myself... i'll try setting up a lab


It's not even that.  For the remote administration URLs, if you know
them up front, you can bypass the password protection for some of them
by typing them directly into the browser.  If you have the portal
admin password, you could use that to crawl the portal admin interface
to discover a list of URLs and then try each of of them without the
password and see which ones return a 403 and which ones just give up
the page.

PaulM





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: