IBM Websphere Portal Authentication Bypass

Hi List,

I'm an IT Risk Auditor, last year we found some documentation,
regarding an authentication security bypass vulnerability, afecting
IBM Websphere Portal 5.1.0.4. (Our  transactional web site runs on
it).

We failed to raise awaraness about the issue, and after a year the
security hole remains. I'm looking for further information on how to
exploit it. The purpose of it is to actually log externally to the web
site servers, take a few snapshots and file a report, or drop the
issue or look at it at a diferent angle.

http://www.securityfocus.com/bid/30500

I assume that any attack on this must be some form of url
manipulation, sql-injection or hidden parameter tampering, i haven't
tested this myself... i'll try setting up a lab

Any help will be much apreciated

Eduardo Sierra

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

On Mon, Oct 19, 2009 at 3:38 PM, Eduardo Sierra <esierr4@...> wrote:
> I'm an IT Risk Auditor, last year we found some documentation,
> regarding an authentication security bypass vulnerability, afecting
> IBM Websphere Portal 5.1.0.4. (Our  transactional web site runs on
> it).
>

If you haven't configured 'enable-http-basic-auth-tai-sitemgmt' you
are unaffected by this bug since remote administration would not be
enabled.

[...]
>
> I assume that any attack on this must be some form of url
> manipulation, sql-injection or hidden parameter tampering, i haven't
> tested this myself... i'll try setting up a lab

It's not even that.  For the remote administration URLs, if you know
them up front, you can bypass the password protection for some of them
by typing them directly into the browser.  If you have the portal
admin password, you could use that to crawl the portal admin interface
to discover a list of URLs and then try each of of them without the
password and see which ones return a 403 and which ones just give up
the page.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Thanks You Very Much Paul,

I'll check wether 'enable-http-basic-auth-tai-sitemgmt'  it's
configured or not. I have internal admin acces to the server (user and
password don't work externally, auth is done againts an internal
ldap.)

So i'll follow your hint and try to discover a list of URLs from the
admin interface and then see which ones ask for authentication and
which do not. I would have never thought of such aproach. It is a
sound test.

Bests Regards

Eduardo Sierra

2009/10/20 Paul Melson <pmelson@...>:
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------