Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

Vulnerability in BEA Portal could Expose Username

Organizations that use BEA Systems' widely used portal server may find unauthorized users hacking into usernames saved on their networks, according to security researchers.

BEA AquaLogic Interaction is a provider of interface services and Web integration for all solutions of AquaLogic enterprises.

According to news from Secunia on November 28 2007, Jan Fry and GNUCitizen's member, Adrian Pastor, have reported vulnerability in BEA AquaLogic Interaction, which malicious people could exploit to reveal sensitive information.

The problem of username exposure lays within an advanced search service of the Plumtree Portal 6.0 of BEA, according to an advisory by researchers at ProCheckUp, a provider of services for penetration testing. The vulnerability could also affect other versions of the portal. The results that the researchers obtained consisted of both routine usernames and those of the administrators.

Unauthorized users who perform an advanced search could count valid usernames by just one HTTP request. The searches allow wildcards, meaning the use of substrings could facilitate in targeting specific types of usernames such as test usernames and admin usernames.

The researchers' report noted that by twisting the search parameters, one could get hold of the entire list of usernames of the corporate portal under target. Channel Register published this in news on November 29, 2007. What is attractive about the vulnerability is that an attacker need not to log on to access the usernames, the researchers wrote.

The counting of valid usernames by exploiting the vulnerability is by the 'dumping' method, implying that a dictionary type of attack is not required to find the usernames unlike the necessity in waging attacks against user databases.

According to ProCheckUp website, since Plumtree portal configuration doesn't require complex passwords and makes available most of the usernames, it is quite possible for an attacker to hack into accounts that employ easy-to-guess passwords.

Meanwhile, security experts have found a patch for the vulnerability in the AquaLogic Interaction 6.1 MP1. For those who don't want to upgrade, could change the configuration of the product, a tactic that would disable the bug.

There are two more vulnerabilities residing in Plumtree that ProCheckUp has uncovered.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 10-12-2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next