[NEWS] Weak Password Protection in WebSphere XML Configuration Export

From: support@securiteam.com
Date: 02/05/03

  • Next message: support@securiteam.com: "[UNIX] Majordomo Found to Leak Information"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 5 Feb 2003 01:45:34 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Weak Password Protection in WebSphere XML Configuration Export


    Passwords in WebSphere XML configuration export are not sufficiently
    protected. If the exported configuration gets into the hands of a
    malicious user, he or she can de-obfuscate passwords easily and can gain
    access to the password-protected resources.


    Vulnerable systems:
     * WebSphere Advanced Server Edition version 4.0.4

    WebSphere Advanced Server Edition 4.0.4 offers a management functionality
    that allows an administrator to export the whole WebSphere configuration
    as an XML file. The export includes passwords needed for accessing keying
    material and data sources:

          <jdbc-driver action="update" name="Sample DB Driver">
                      <property name="serverName" value=""/>
                      <property name="password" value="{xor}KD4sa28="/>
                      <property name="portNumber" value=""/>
                      <property name="databaseName" value="was40"/>
                      <property name="user" value="was40"/>
                      <property name="disable2Phase" value="true"/>
                      <property name="ifxIFXHOST" value=""/>
                      <property name="URL" value=""/>
                      <property name="informixLockModeWait" value=""/>

    These passwords are obfuscated and Base64Encoded. Those areas obfuacated
    are marked with the {XOR}-prefix.

    The obfuscation algorithm is as follows:
     - CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the
    position of the character
     - ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)

    Deobfuscation process:
     - ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
     - CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")

    Administrators should take care that they export the configuration to an
    administrator accessible directory only and destroy the export file after


    The information has been provided by <mailto:jan.monsch@csnc.ch> Jan P.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages