Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: rudi carell (rudicarellHOTMAIL.COM)
Date: Mon Feb 05 2001 - 12:13:10 CST
while i was participating on the openhack contest
i found a couple of serious security-holes within ibm s
so called "netcommerce" thing which seems to be a mixture of
websphere, net.data, servlets, jsp s and db2?
class: input validation error
vulnerable: ibm netcommerce 3???
besides well known websphere-bugs (file thru disclosure and default-admin
the most dangerous bugs result from NON-existing input validation within
netcommerc s net.data "macros".
by crafting malformed http-requests it is possible to extract "any"
combining this method with other default-"netcommerce" funcionality
(PasswordReset for example) it is possible to take hold of so called
"store-" or "site-manager"-accounts.
once youre an nc-administrator you are allowed to use all the admin-tools.
at this point youre able to up- and download files, issue op-system-commands
or do any query with the very very high-privileged DB2INST1 account.
this can lead to a possible take-over of the whole system....
many "default-macros" are vulnerable to this (classic:-) sort of attack.
a few examples:
1) "HowTo find Administrator Accounts"
of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an
example. casting between different data-types is possible (read the db2-man
also it should(not proofed) be possible to query other databases.
this mail was sent to "ersers.ibm.com" last week.
(ers = emergency response team)
<FLAME> due to the very unprofessional(or should i say unfair) system-setup
of the openhack-servers i was not able to proof the whole concept </FLAME>
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.