Penetration Testing mailing list archives
Re: IBM Websphere Portal Authentication Bypass
From: Eduardo Sierra <esierr4 () gmail com>
Date: Thu, 17 Dec 2009 15:39:47 -0400
Hi list, No luck, Does http://XXXX:XXXX/wps/portal/!ut/p/cxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4g3sdAvyHZUBAAqwx9c mean something to anyone? The 04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4g3sdAvyHZUBAAqwx9c part appears a lot if you google it...what is it? I find it even in an IBM solution document..., http://www-01.ibm.com/support/docview.wss?uid=swg21255118 If you have other URL to try authentication bypass please share. My time is almost up. documentartion could also be usefull but im trying for the auth bypass. Best Regards, Eduardo. 2009/10/21 Eduardo Sierra <esierr4 () gmail com>:
Thanks You Very Much Paul, I'll check wether 'enable-http-basic-auth-tai-sitemgmt' it's configured or not. I have internal admin acces to the server (user and password don't work externally, auth is done againts an internal ldap.) So i'll follow your hint and try to discover a list of URLs from the admin interface and then see which ones ask for authentication and which do not. I would have never thought of such aproach. It is a sound test. Bests Regards Eduardo Sierra 2009/10/20 Paul Melson <pmelson () gmail com>:On Mon, Oct 19, 2009 at 3:38 PM, Eduardo Sierra <esierr4 () gmail com> wrote:I'm an IT Risk Auditor, last year we found some documentation, regarding an authentication security bypass vulnerability, afecting IBM Websphere Portal 5.1.0.4. (Our transactional web site runs on it).If you haven't configured 'enable-http-basic-auth-tai-sitemgmt' you are unaffected by this bug since remote administration would not be enabled. [...]I assume that any attack on this must be some form of url manipulation, sql-injection or hidden parameter tampering, i haven't tested this myself... i'll try setting up a labIt's not even that. For the remote administration URLs, if you know them up front, you can bypass the password protection for some of them by typing them directly into the browser. If you have the portal admin password, you could use that to crawl the portal admin interface to discover a list of URLs and then try each of of them without the password and see which ones return a 403 and which ones just give up the page. PaulM
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: IBM Websphere Portal Authentication Bypass Eduardo Sierra (Dec 21)