|
Brought to you by:
Suppliers of:
|
|
|
| |
On default installation, WebSphere installs itself to run with root-identity, and stores administrator password as a clear text to a file $WASROOT/properties/sas.server.props. The file has permissions 600, and therefore other users on system cannot access it.
The problem is that by default all java-code at WebSphere (JSP's, Servlets etc.) is running with root-identity, therefore able to access all files on server's file system.
It is possible for normal user (who has access to the system) to construct a JSP file which reads the content of sas.server.props, copy it in appropriate directory and access the jsp through web-browser - thereby getting access to administrator password.
It might be also possible to construct a JSP file that creates shell-scripts to server file system and executes them with root-identity. |
| |
Credit:
The information has been provided by Tunkelo Heikki (extern) and Christer Palm.
|
| |
Vulnerable systems:
IBM WebSphere 3.0.* on AIX, LINUX, SUN
IBM WebSphere 3.5.* on AIX, LINUX, SUN
Workaround:
A) Change WebSphere to run with non root-identity (This is preferred)
For Sun Solaris:
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
For Generic UNIX platform
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html
B) Create application servers on non-root identity (do this only if you cannot take the (A) step)
http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0606a01.html
|
|
|
|
|
