![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: "Tunkelo Heikki (extern)" <Heikki.Tunkelo@erln.gepas.de> To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com> Subject: IBM WebSphere on UNIX security alert ! Date: Thu, 13 Dec 2001 11:36:34 +0100 ====================================================================== IBM Websphere reveals system root password. Author : Heikki Tunkelo (heikki.tunkelo@erln.gepas.de) Date : 13.12.2001 ====================================================================== === Brief description === It is possible to attain a root password on a system running WebSphere. === Affected Systems === IBM WebSphere 3.0.* on AIX, LINUX, SUN IBM WebSphere 3.5.* on AIX, LINUX, SUN === Detailed Description === On default installation WebSphere installs itself to run with root-identity, and stores root password as a clear text to a file $WASROOT/properties/sas.server.props. The file has permissions 600, and therefore other users on system cannot access it. The problem is that by default all java-code at WebSphere (jsp's, Servlets etc.) are running with root-identity, therefore able to access all files on servers filesystem readable by root. It is possible for normal user (who has access to the system)to construct a JSP file which reads the content of sas.server.props, copy it in approriate directory and access the jsp through web-browser. Thereby getting access to root password. It might be also possible to construct a JSP file that creates shell-scripts to server filesystem and executes them with root-identity. === Workaround === a) Change websphere to run with non root-identity (This is preferred) For Sun solaris: http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677 For Generic Unix platform http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677 http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html b) Create application servers on non-root identity (do this only if you cannot take the (a) step) http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0 606a01.html ====================================================================== contact author for more details and help for workaround. Heikki -- Heikki Tunkelo