[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Websphere 3.5

To: Alerta Redsegura <alerta@xxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Websphere 3.5
From: yossarian@xxxxxxxxx
Date: Fri, 22 Oct 2004 10:20:49 +0200

Apart from not being supported by IBM any longer? Insecurities in WAS usually 
emerge from how you deploy it (LDAP? - remember that ldap requests are usually 
clear text)(and hardly anyone ever managed to get Global Security working so 
often the admin console is not secured), are specific to the version (*nix?, 
OS390?, Windows?, 3.5.6 or other fixlevel) and type (EE, AE etc...). Besides, 
keeping WAS 3.5 on the right fixlevel all over can really be a pain. 

Anyway I advise you to NEVER deploy Was3.5 if webfacing without some sort of 
EDGE technology, i.e. some reverse proxy. And of course for WAS 3.5 - go for 
the apache layer. It is very likely to be an older one. Then google for Apache 
1.3.17 exploits. Or go to apache.org ....

Good luck

(BTW don't 0wn things you don't own)

----- Oorspronkelijk bericht -----
Van: Alerta Redsegura <alerta@xxxxxxxxxxxxx>
Datum: donderdag, oktober 21, 2004 7:25 pm
Onderwerp: [Full-Disclosure] Websphere 3.5

> Hi,
> 
> Anyone aware of vulnerabilities (besides those you can find 
> Googling) in
> Websphere 3.5?
> 
> 
> Regards,
> 
> 
> Iñigo
> alerta@xxxxxxxxxxxxx
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] ms backup schedule
Next by Date: [Full-Disclosure] J2ME security vulnerabilities
Previous by thread: RE: [Full-Disclosure] Virus/Trojan trying to connect external:445 and 212.175.149.149.6667
Next by thread: [Full-Disclosure] J2ME security vulnerabilities
Index(es):
- Date
- Thread