Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: rudi carell (rudicarellHOTMAIL.COM)
Date: Mon Feb 05 2001 - 12:13:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hola friends,

    while i was participating on the openhack contest
    i found a couple of serious security-holes within ibm s
    so called "netcommerce" thing which seems to be a mixture of
    websphere, net.data, servlets, jsp s and db2?


    class: input validation error
    remote: yes
    local: yes
    vulnerable: ibm netcommerce 3???


    besides well known websphere-bugs (file thru disclosure and default-admin
    passwords) ...

    the most dangerous bugs result from NON-existing input validation within
    netcommerc s net.data "macros".

    by crafting malformed http-requests it is possible to extract "any"

    combining this method with other default-"netcommerce" funcionality
    (PasswordReset for example) it is possible to take hold of so called
    "store-" or "site-manager"-accounts.

    once youre an nc-administrator you are allowed to use all the admin-tools.

    at this point youre able to up- and download files, issue op-system-commands
    or do any query with the very very high-privileged DB2INST1 account.

    this can lead to a possible take-over of the whole system....

    many "default-macros" are vulnerable to this (classic:-) sort of attack.


    a few examples:

    1) "HowTo find Administrator Accounts"

    2) "Passwords(crypted)"

    3) "Password-Reminders"

    of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an
    example. casting between different data-types is possible (read the db2-man

    also it should(not proofed) be possible to query other databases.

    vendor status:

    this mail was sent to "ersers.ibm.com" last week.
    (ers = emergency response team)

    nice day,



    <FLAME> due to the very unprofessional(or should i say unfair) system-setup
    of the openhack-servers i was not able to proof the whole concept </FLAME>

    Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.