[UNIX] IBM WebSphere Reveals System Administrator Password
From: support@securiteam.comDate: 12/28/01
- Previous message: support@securiteam.com: "[NT] EFTP Directory Content Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 28 Dec 2001 12:03:26 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IBM WebSphere Reveals System Administrator Password
------------------------------------------------------------------------
SUMMARY
On default installation, WebSphere installs itself to run with
root-identity, and stores administrator password as a clear text to a file
$WASROOT/properties/sas.server.props. The file has permissions 600, and
therefore other users on system cannot access it.
The problem is that by default all java-code at WebSphere (JSP's, Servlets
etc.) is running with root-identity, therefore able to access all files on
server's file system.
It is possible for normal user (who has access to the system) to construct
a JSP file which reads the content of sas.server.props, copy it in
appropriate directory and access the jsp through web-browser - thereby
getting access to administrator password.
It might be also possible to construct a JSP file that creates
shell-scripts to server file system and executes them with root-identity.
DETAILS
Vulnerable systems:
IBM WebSphere 3.0.* on AIX, LINUX, SUN
IBM WebSphere 3.5.* on AIX, LINUX, SUN
Workaround:
A) Change WebSphere to run with non root-identity (This is preferred)
For Sun Solaris:
<http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677> http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
For Generic UNIX platform
<http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677> http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
<http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html>
http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html
B) Create application servers on non-root identity (do this only if you
cannot take the (A) step)
<http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0606a01.html> http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0606a01.html
ADDITIONAL INFORMATION
The information has been provided by
<mailto:Heikki.Tunkelo@erln.gepas.de> Tunkelo Heikki (extern) and
<mailto:palm@nogui.se> Christer Palm.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] EFTP Directory Content Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
