In association with heise online

29 November 2007, 13:38

BEA Plumtree portal user names can be brute forced over HTTPS

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Plumtree portal has a remote search facility that is accessible to unauthenticated users and accepts wildcards. As a result, valid user names can be enumerated over an HTTPS connection by unauthorised attackers. Plumtree Portal is an enterprise information portal acquired two years ago by BEA and subsumed into its Aqualogic business collaboration suite.

The vulnerability has been reported in an advisory by UK penetration testing company ProCheckup. Proofs of concept are provided in the advisory, for example

https://[hostname]/portal/ space=SearchResult&in_tx_fulltext=*& in_hi_req_apps=1&control=advancedstart&in_hi_req_page=100& parentname=AdvancedSearch&in_ra_topoperator=and

which the investigators found lists all the user names on the system, in pages of 100 entries.

ProCheck point out that administrative names are not exempt from detection by this means, and that as the portal does not enforce password complexity, it is likely that accounts could be compromised. They classify the bug as medium severity. The researchers have also found an internal host name disclosure vulnerability and a full version disclosure vulnerability in the product, both of which they classify as low severity.

BEA have provided fixes for all these flaws in Aqualogic Interaction 6.1 MP1. Config changes can also apparently be applied in ALUI 6.x versions, but the researchers do not specify what they are.

See also


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit