• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

IBM WebSphere Exported XML Password Encoding Weakness

IBM WebSphere allows administrators to export configuration files to XML. When the WebSphere configuration file is exported in this manner, passwords are obfuscated using an easily reversible algorithm. If an attacker gains access to an exported XML configuration file, it is a trivial task to decode the password.

The WebSphere documentation states that exported configurations will contain encoded (and not encrypted) passwords. Administrators should be cautious when exporting configuration files.

This issue was reported in IBM WebSphere Advanced Server Edition 4.0.4. It is not known if the same encoding is used in other versions. Though the core weakness is that passwords are encoded and may be easier to reverse than if encrypted using a strong algorithm, so all current versions so should be considered prone to this weakness to some degree.