Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: web4921.htm

IBM Websphere reveals system root password (local)
13th Dec 2001 [SBWID-4921]

	IBM Websphere reveals system root password (local)


	 IBM WebSphere 3.0.* on AIX, LINUX, SUN

	 IBM WebSphere 3.5.* on AIX, LINUX, SUN



	Heikki Tunkelo posted :

	On  default  installation  WebSphere  installs  itself   to   run   with
	root-identity, and stores root password  as  a  clear  text  to  a  file
	$WASROOT/properties/sas.server.props. The file has permissions 600,  and
	therefore other users on system cannot access it.

	The problem is that by  default  all  java-code  at  WebSphere  (jsp\'s,
	Servlets etc.) are running with root-identity, therefore able to  access
	all files on servers filesystem readable by root.

	It is possible  for  normal  user  (who  has  access  to  the  system)to
	construct a JSP file which reads the content of  sas.server.props,  copy
	it in approriate directory  and  access  the  jsp  through  web-browser.
	Thereby getting access to root password.

	It might  be  also  possible  to  construct  a  JSP  file  that  creates
	shell-scripts   to   server   filesystem   and   executes   them    with


	a) Change websphere to run with non root-identity  (This  is  preferred)
	For Sun solaris:


	For Generic Unix platform


	b) Create application servers on non-root identity (do this only if  you
	cannot take the (a) step)



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH