• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

IBM WebSphere JSP Root Password Disclosure Vulnerability

IBM WebSphere is a commercial web application server which runs on a number of platforms.

The root password for AIX, Linux and Sun systems is stored plaintext in a file called $WASROOT/properties/sas.server.props, which is not readable by non-root users. However, IBM WebSphere normally runs as root in default installations. In addition, all Java code on a host running IBM WebSphere is also executed with root privileges. This leaves an opening whereby an unprivileged local attacker could create a JSP script which could read the root password from $WASROOT/properties/sas.server.props to gain elevated privileges.

There are a number of other security implications that arise from a local unprivileged user being able to execute arbitrary code as root, all resulting in an escalation of privileges. Additionally, with the default configuration, hosts running IBM WebSphere may be vulnerable to a remote root compromise in cases where a remotely exploitable vulnerability allows arbitrary code execution.