IBM WebSphere Reveals System Administrator Password
28 Dec. 2001
Summary
On default installation, WebSphere installs itself to run with root-identity, and stores administrator password as a clear text to a file $WASROOT/properties/sas.server.props. The file has permissions 600, and therefore other users on system cannot access it.
The problem is that by default all java-code at WebSphere (JSP's, Servlets etc.) is running with root-identity, therefore able to access all files on server's file system.
It is possible for normal user (who has access to the system) to construct a JSP file which reads the content of sas.server.props, copy it in appropriate directory and access the jsp through web-browser - thereby getting access to administrator password.
It might be also possible to construct a JSP file that creates shell-scripts to server file system and executes them with root-identity.
