[NEWS] Weak Password Protection in WebSphere XML Configuration Export
From: support@securiteam.com
Date: 02/05/03
- Previous message: support@securiteam.com: "[TOOL] ProxyChains, Proxy Chaining Tool (Linking)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 5 Feb 2003 01:45:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Weak Password Protection in WebSphere XML Configuration Export
------------------------------------------------------------------------
SUMMARY
Passwords in WebSphere XML configuration export are not sufficiently
protected. If the exported configuration gets into the hands of a
malicious user, he or she can de-obfuscate passwords easily and can gain
access to the password-protected resources.
DETAILS
Vulnerable systems:
* WebSphere Advanced Server Edition version 4.0.4
WebSphere Advanced Server Edition 4.0.4 offers a management functionality
that allows an administrator to export the whole WebSphere configuration
as an XML file. The export includes passwords needed for accessing keying
material and data sources:
<jdbc-driver action="update" name="Sample DB Driver">
..
<config-properties>
<property name="serverName" value=""/>
<property name="password" value="{xor}KD4sa28="/>
<property name="portNumber" value=""/>
<property name="databaseName" value="was40"/>
<property name="user" value="was40"/>
<property name="disable2Phase" value="true"/>
<property name="ifxIFXHOST" value=""/>
<property name="URL" value=""/>
<property name="informixLockModeWait" value=""/>
</config-properties>
</data-source>
These passwords are obfuscated and Base64Encoded. Those areas obfuacated
are marked with the {XOR}-prefix.
The obfuscation algorithm is as follows:
- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the
position of the character
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)
Deobfuscation process:
- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")
Workaround:
Administrators should take care that they export the configuration to an
administrator accessible directory only and destroy the export file after
use.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jan.monsch@csnc.ch> Jan P.
Monsch.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] Majordomo Found to Leak Information"
- Previous message: support@securiteam.com: "[TOOL] ProxyChains, Proxy Chaining Tool (Linking)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
