BEA Plumtree portal user names can be brute forced over HTTPS
Plumtree portal has a remote search facility that is accessible to unauthenticated users and accepts wildcards. As a result, valid user names can be enumerated over an HTTPS connection by unauthorised attackers. Plumtree Portal is an enterprise information portal acquired two years ago by BEA and subsumed into its Aqualogic business collaboration suite.
The vulnerability has been reported in an advisory by UK penetration testing company ProCheckup. Proofs of concept are provided in the advisory, for example
https://[hostname]/portal/server.pt?in_hi_req_objtype=1& space=SearchResult&in_tx_fulltext=*& in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100& parentname=AdvancedSearch&in_ra_topoperator=and
which the investigators found lists all the user names on the system, in pages of 100 entries.
ProCheck point out that administrative names are not exempt from detection by this means, and that as the portal does not enforce password complexity, it is likely that accounts could be compromised. They classify the bug as medium severity. The researchers have also found an internal host name disclosure vulnerability and a full version disclosure vulnerability in the product, both of which they classify as low severity.
BEA have provided fixes for all these flaws in Aqualogic Interaction 6.1 MP1. Config changes can also apparently be applied in ALUI 6.x versions, but the researchers do not specify what they are.
- PR06-11: BEA Plumtree portal search facility leaks usernames to unauthenticated users, ProCheckup advisory