IBM WebSphere ikeyman Weak Encrypted Password Vulnerability
BID:1763
Info
IBM WebSphere ikeyman Weak Encrypted Password Vulnerability
| Bugtraq ID: | 1763 |
| Class: | Design Error |
| CVE: |
CVE-1999-0944 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 24 1999 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Posted to Bugtraq on October 24, 1999 by Major Malfunction <[email protected]>. |
| Vulnerable: |
IBM Websphere Application Server 3.0 IBM Websphere Application Server 2.0 |
| Not Vulnerable: | |
Discussion
IBM WebSphere ikeyman Weak Encrypted Password Vulnerability
IBM WebSphere ships with a tool called 'ikeyman' that encrypts server certificates/key pairs when the IBM HTTP Server and SSL connections are enabled. Ikeyman stores the password in a stash file which can be easily decrypted through the use of a freely available script (see Exploit tab).
IBM WebSphere ships with a tool called 'ikeyman' that encrypts server certificates/key pairs when the IBM HTTP Server and SSL connections are enabled. Ikeyman stores the password in a stash file which can be easily decrypted through the use of a freely available script (see Exploit tab).
Exploit / POC
IBM WebSphere ikeyman Weak Encrypted Password Vulnerability
Major Malfunction < [email protected] > has released the following exploit (code by Ben Laurie):
Major Malfunction < [email protected] > has released the following exploit (code by Ben Laurie):
Solution / Fix
IBM WebSphere ikeyman Weak Encrypted Password Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
IBM WebSphere ikeyman Weak Encrypted Password Vulnerability
References:
References: