Websphere pentesting questions

From: Feng Chih-hung (chfong@gmail.com)
Date: Fri Sep 23 2005 - 02:47:00 EDT

• Next message: philippe.nospam.oechslin@objectif-securite.nospam.ch: "Re: Passwords with Lan Manager (LM) under Windows"
• Previous message: Craig Wright: "MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi:

In a recent pen-test I came across a few websphere sites
in the customer's perimeter. I am not familiar with websphere
, maybe the experienced ones could shed some light on it:

1. At one site I am able to access websphere system management
    interface. The url is not protected and with "XML Web Administration
    Tool" it provided I am able to view/modify/delete websphere
resources
    such as virtual host, default_app, etc. Is there any means
    to further exploit it to get, say, system access or privilege
    escalation?

2. With the admin tool mentioned above I dumped websphere workspace
    to an xml file in which I discovered an obfuscated password for
    ID administrator. Since the obfuscation algorithm is already known
    ( base64_encode(passwd ^ "_" ) I was able to restore the password.
    My question is where does this ID/passwd combination apply?
    Is it supposed to protect the admin interface?

3. I discovered a vulnerability in another websphere server.
    Specifically,
       http://domain.name.of.target/some.jsp works as expected. But
       http://ip.of.target/some.jsp reveals the source code
    My hypothesis is that this is a mis-configuration instead of
    a websphere software bug. Any suggestion? Could it be related
    to, say, the virtual host settings (or lack thereof)?

4. Another vulnerability in another websphere server:
    http://target/some.jsp works as expected, but
    http://target//some.jsp reveals source code
    Again, this looks like a mis-configuration because I could not
    find any information in the search of websphere vulnerability
    history.

In addition to notify the customer of the vulnerabilities I have
to help them fix the problems and confirm they are fixed.
Therefore I would need as much info as I could gather.
Any comments are appreciated.

Regards
chfong

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: philippe.nospam.oechslin@objectif-securite.nospam.ch: "Re: Passwords with Lan Manager (LM) under Windows"
• Previous message: Craig Wright: "MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:59 EDT