Vulnerability in BEA Portal could Expose Username

Organizations that use BEA Systems' widely used portal server may find unauthorized users hacking into usernames saved on their networks, according to security researchers.

BEA AquaLogic Interaction is a provider of interface services and Web integration for all solutions of AquaLogic enterprises.

According to news from Secunia on November 28 2007, Jan Fry and GNUCitizen's member, Adrian Pastor, have reported vulnerability in BEA AquaLogic Interaction, which malicious people could exploit to reveal sensitive information.

The problem of username exposure lays within an advanced search service of the Plumtree Portal 6.0 of BEA, according to an advisory by researchers at ProCheckUp, a provider of services for penetration testing. The vulnerability could also affect other versions of the portal. The results that the researchers obtained consisted of both routine usernames and those of the administrators.

Unauthorized users who perform an advanced search could count valid usernames by just one HTTP request. The searches allow wildcards, meaning the use of substrings could facilitate in targeting specific types of usernames such as test usernames and admin usernames.

The researchers' report noted that by twisting the search parameters, one could get hold of the entire list of usernames of the corporate portal under target. Channel Register published this in news on November 29, 2007. What is attractive about the vulnerability is that an attacker need not to log on to access the usernames, the researchers wrote.

The counting of valid usernames by exploiting the vulnerability is by the 'dumping' method, implying that a dictionary type of attack is not required to find the usernames unlike the necessity in waging attacks against user databases.

According to ProCheckUp website, since Plumtree portal configuration doesn't require complex passwords and makes available most of the usernames, it is quite possible for an attacker to hack into accounts that employ easy-to-guess passwords.

Meanwhile, security experts have found a patch for the vulnerability in the AquaLogic Interaction 6.1 MP1. For those who don't want to upgrade, could change the configuration of the product, a tactic that would disable the bug.

There are two more vulnerabilities residing in Plumtree that ProCheckUp has uncovered.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 12/10/2007