PR06-11: BEA Plumtree portal search facility leaks usernames to unauthenticated users

Description:

BEA Plumtree portal 6.0 is vulnerable to username leakage through the search facility.

By performing an advanced search, unauthenticated users can enumerate valid usernames
with a single HTTP request. Wildcards are allowed in searches, which means that
substrings can be used in order to target specific username types such as admin
usernames and test usernames.

Note: this username enumeration weakness _doesn't_ require attackers to perform
dictionary or bruteforce attacks in order to obtain usernames.

Date Found: 12th September 2006

Vendor contacted: 18th May 2007

Vulnerable: BEA Plumtree 5.0.2, 5.0.3, 5.0.4, 6.0.1.218452 and possibly other versions.

Severity: Medium

Authors: Adrian Pastor [adrian.pastor [at] procheckup.com], Jan Fry [jan.fry [at] procheckup.com] and Richard Brain [richard.brain[at]procheckup.com] from ProCheckUp Ltd (www.procheckup.com)

ProCheckUp thanks BEA for working with us.

Proof of concept:

The following requests all usernames ('*' wildcard), showing a maximum of 100 usernames per page:

https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*&in_hi_req_ apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_ topoperator=and

The wildcard '*' character can also be combined in the 'in_tx_fulltext' parameter with strings.

The following request enumerates usernames that contain the substring 'admin' within them:

https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*admin*&in_hi_ req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_ topoperator=and

The following request enumerates usernames that contain the substring 'test' within them:

https://[hostname]/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*test*&in
_hi_req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra
_topoperator=and

Consequences:

Valid usernames can be easily enumerated by attackers. This includes usernames with administrative privileges on Plumtree portal. Considering that Plumtree portal setups don't enforce password complexity requirements, and many usernames are usually available, it is highly likely that an attacker can hijack accounts that use easy-to-guess passwords.

Fix: this has been addressed in AquaLogic Interaction 6.1. MP1. This can also be addressed by making config changes in ALUI 6.x versions.

References:

http://www.plumtree.com/
http://dev2dev.bea.com/pub/advisory/254
http://www.procheckup.com/Vulnerability_2007.php

Legal:

Copyright 2007 ProCheckUp Ltd.

All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.

ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.