Re: IBM Websphere Portal pentest



There is an overlooked bug in reading (maybe editing) files in
Websphere, unless they fixed it. Sniff some POSTs using Live Headers
or something and you should be able to read files with SYSTEM
privileges, I believe (if that is what Websphere is still run under).
So, that is a possibility for escalation, of some kind.

Jeremy

On Sat, Mar 21, 2009 at 7:48 AM, <pentestb0y@xxxxxxxxxxx> wrote:
Hi list,

I'm doing a pentest for a company with web application built on top of
IBM Websphere portal.
So far, I managed to get the admin password to the portal. My analysis
suggest that their current setup looks like this:

Their using WebSEAL reverse proxy which handles the authentication and
access control on the Portal's resources served by an IBM HTTP Server
with LDAP user directory.

So far, that's all I know.


I've read a few manuals and ebooks about this whole Portal thing and
realized that this is one complex collection of different applications.
I only have few days to do the testings so I don't have much time to
figure out what else I can do given that I was able to obtain the Portal
admin login credentials.


I'm trying to build a case on what an attacker can do once he gets admin
access to the Portal. Is it possible to enumerate the internal Directory
and Databases through the Portal? I've read a short tutorial on how one
can create a Portlet and upload it to the Portal. I'm thinking this
could probably one should go about it.


 Before I tell the client that it is game over for them once an attacker
 gets portal admin rights, I have to explain how an attacker can
 leverage this situation.


Any idea?
--

 pentestb0y@xxxxxxxxxxx

--
http://www.fastmail.fm - Email service worth paying for. Try it for free


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------



Relevant Pages

  • [Full-disclosure] Zen-Cart Admin CSRF/XSRF - Delete / Disable Products | UPS-2011
    ... An attacker can force an administrator to delete or disable products from ... This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. ... <img src=" ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] Reacting to a server compromise
    ... I also know that the attacker performed a UDP flood on some ... and a new admin account. ... Judging from the date of the trojan files, they only had control for 2-3 ... will start with a report to CERT, ...
    (Full-Disclosure)
  • DeskPRO Admin Panel Multiple HTML Injections
    ... DeskPRO Admin Panel Multiple HTML Injections ... An attacker may leverage this issue to have arbitrary script code execute ... Such attacks can be crafted were Attacker may inject cod ewere it willsend the Admins ...
    (Bugtraq)
  • IBM Websphere Portal pentest
    ... I managed to get the admin password to the portal. ... access control on the Portal's resources served by an IBM HTTP Server ... with LDAP user directory. ... I'm trying to build a case on what an attacker can do once he gets admin ...
    (Pen-Test)