The Channel logo

News

By | Dan Goodin 29th November 2007 01:00

BEA portal product springs a leak

Think Dumpable

Organizations using a popular portal server made by BEA Systems may be interested to learn that researchers have figured out a simple way for unauthenticated users to obtain every user name stored on their systems.

The user name leak resides in an advanced search function in the BEA Plumtree Portal 6.0, according to this advisory from researchers at ProCheckUp, a company that provides penetration testing services. The results included both regular user names as well as those belonging to administrators.

"What we found is that by tweaking the parameters of the search functionality, it is possible to obtain all the usernames of the target corporate portal," the researchers wrote in a report. "What makes this vulnerability attractive is that the attacker doesn't need to be logged in in order to obtain the list of usernames."

The enumeration made possible by the vulnerability is of the "dumpable" type, meaning there is no need to run a dictionary attack to find valid usernames, as is often the case with attacks on user databases.

The vulnerability has been fixed in the AquaLogic Interaction 6.1 MP1. Users not ready to upgrade can also work around the bug by making configuration changes to the product. BEA representatives were not immediately available for comment.

ProCheckUp also disclosed two other vulnerabilities affecting Plumtree that are available here and here. The researchers who discovered the bugs are Adrian Pastor, a member of GNUCitizen, and Jan Fry. ®

comment icon Read 1 comment on this article alert Send corrections

Opinion

Trevor Pott

Why aren't you, personally, stopping the moronocalypse?
Star Trek Into Darkness

Chris Mellor

Federation fissiparousness to form co-ordinated divisions
iot_internet_of_things

Chris Mellor

EMC is ahead overall with HDS mounting an IoT catch-up

Features

Lego gandalf by https://www.flickr.com/photos/isherwoodchris/  CC 2.0 https://creativecommons.org/licenses/by-sa/2.0/ attribution sharealike
Why interconnectivity in the cloud is tougher than just stacking bricks
Handing over dollars picture via Shutterstock
Steve Ballmer. Pic:  Aanjhan Ranganathan
Nokia is the biggest write-off yet, but it wasn't the first
Confused computer keyboard
Last Christmas, I gave you my Cloud, the very next day you gave it away