FYI: Just in case the iSeries version is susceptible too.

--phil

-----Original Message-----

Subject: Weak password protection in WebSphere 4.0.4 XML configuration
export


#############################################################
#
# COMPASS SECURITY                        http://www.csnc.ch/
#
#############################################################
#
# Topic:        WebSphere Advanced Server Edition 4.0.4
# Subject:      Insufficient Password Protection in
#               Configuration Export
# Author:       Jan P. Monsch
# Date:         February 3, 2003
#
#############################################################

Problem:
--------
Passwords in WebSphere XML configruation export are not sufficiently
protected. If the exported configuration gets into the hands of a
malicous user, he or she can deobfuscated passworts easily and can gain
access to the password protected resources.


Workaround:
-----------
Administrators should take care that they export the configuration to an
administrator accessible directory only and destroy the export file
after use.


Vulnerable:
-----------
- WebServer Advanced Server 4.0.4
- other versions might be vulnerable as well


Not vulnerable:
---------------
- Unknown


Details:
--------
WebSphere Advanced Server Edition 4.0.4 offers a management 
functionality which allows an administrator to export the whole 
WebSphere configuration as an XML file. The export includes passwords 
needed for accessing keying material and data sources:

      <jdbc-driver action="update" name="Sample DB Driver">
...
              <config-properties>
                  <property name="serverName" value=""/>
                  <property name="password" value="{xor}KD4sa28="/>
                  <property name="portNumber" value=""/>
                  <property name="databaseName" value="was40"/>
                  <property name="user" value="was40"/>
                  <property name="disable2Phase" value="true"/>
                  <property name="ifxIFXHOST" value=""/>
                  <property name="URL" value=""/>
                  <property name="informixLockModeWait" value=""/>
              </config-properties>
          </data-source>


These passwords are obfuscated and Base64Encoded. Those areas obfuacated 
are marked with the {XOR}-prefix.


The obfuscation algorithm is as follows:
- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the 
position of the character
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword)


Deobfuscation process:
- ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded)
- CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_")


Regards Jan


-- 
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG, CSNC

   Tel: +41 55 214 41 67
   Fax: +41 55 214 41 61

E-mail:     jan.monsch@csnc.ch
Web site:   http://www.csnc.ch/

"Security Review - Penetration Testing"
_____________________________________________________________




This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].