Weak password protection in WebSphere 4.0.4 XML configuration export

2007.10.23
Credit: Jan P. Monsch
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2003-1447
CWE: N/A


CVSS Base Score: 1.9/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

############################################################# # # COMPASS SECURITY http://www.csnc.ch/ # ############################################################# # # Topic: WebSphere Advanced Server Edition 4.0.4 # Subject: Insufficient Password Protection in # Configuration Export # Author: Jan P. Monsch # Date: February 3, 2003 # ############################################################# Problem: -------- Passwords in WebSphere XML configruation export are not sufficiently protected. If the exported configuration gets into the hands of a malicous user, he or she can deobfuscated passworts easily and can gain access to the password protected resources. Workaround: ----------- Administrators should take care that they export the configuration to an administrator accessible directory only and destroy the export file after use. Vulnerable: ----------- - WebServer Advanced Server 4.0.4 - other versions might be vulnerable as well Not vulnerable: --------------- - Unknown Details: -------- WebSphere Advanced Server Edition 4.0.4 offers a management functionality which allows an administrator to export the whole WebSphere configuration as an XML file. The export includes passwords needed for accessing keying material and data sources: <jdbc-driver action="update" name="Sample DB Driver"> ... <config-properties> <property name="serverName" value=""/> <property name="password" value="{xor}KD4sa28="/> <property name="portNumber" value=""/> <property name="databaseName" value="was40"/> <property name="user" value="was40"/> <property name="disable2Phase" value="true"/> <property name="ifxIFXHOST" value=""/> <property name="URL" value=""/> <property name="informixLockModeWait" value=""/> </config-properties> </data-source> These passwords are obfuscated and Base64Encoded. Those areas obfuacated are marked with the {XOR}-prefix. The obfuscation algorithm is as follows: - CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the position of the character - ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword) Deobfuscation process: - ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded) - CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_") Regards Jan -- _____________________________________________________________ Jan P. Monsch Compass Security Network Computing AG, CSNC Tel: +41 55 214 41 67 Fax: +41 55 214 41 61 E-mail: jan.monsch (at) csnc (dot) ch [email concealed] Web site: http://www.csnc.ch/ "Security Review - Penetration Testing" _____________________________________________________________


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top