Re: IBM Websphere Portal Authentication Bypass

[Paul Melson <pmelson () gmail com>]

On Mon, Oct 19, 2009 at 3:38 PM, Eduardo Sierra <esierr4 () gmail com> wrote:
> I'm an IT Risk Auditor, last year we found some documentation,
> regarding an authentication security bypass vulnerability, afecting
> IBM Websphere Portal 5.1.0.4. (Our  transactional web site runs on
> it).

If you haven't configured 'enable-http-basic-auth-tai-sitemgmt' you
are unaffected by this bug since remote administration would not be
enabled.

[...]
> I assume that any attack on this must be some form of url
> manipulation, sql-injection or hidden parameter tampering, i haven't
> tested this myself... i'll try setting up a lab

It's not even that.  For the remote administration URLs, if you know
them up front, you can bypass the password protection for some of them
by typing them directly into the browser.  If you have the portal
admin password, you could use that to crawl the portal admin interface
to discover a list of URLs and then try each of of them without the
password and see which ones return a 403 and which ones just give up
the page.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------