Organizations using a popular portal server made by BEA Systems may be interested to learn that researchers have figured out a simple way for unauthenticated users to obtain every user name stored on their systems.
The user name leak resides in an advanced search function in the BEA Plumtree Portal 6.0, according to this advisory from researchers at ProCheckUp, a company that provides penetration testing services. The results included both regular user names as well as those belonging to administrators.
"What we found is that by tweaking the parameters of the search functionality, it is possible to obtain all the usernames of the target corporate portal," the researchers wrote in a report. "What makes this vulnerability attractive is that the attacker doesn't need to be logged in in order to obtain the list of usernames."
The enumeration made possible by the vulnerability is of the "dumpable" type, meaning there is no need to run a dictionary attack to find valid usernames, as is often the case with attacks on user databases.
The vulnerability has been fixed in the AquaLogic Interaction 6.1 MP1. Users not ready to upgrade can also work around the bug by making configuration changes to the product. BEA representatives were not immediately available for comment.
ProCheckUp also disclosed two other vulnerabilities affecting Plumtree that are available here and here. The researchers who discovered the bugs are Adrian Pastor, a member of GNUCitizen, and Jan Fry. ®
Thursday, November 29, 2007
BEA portal product springs a leak
So many paths to Nirvana
We've groused repeatedly about the gaps in the software development lifecycle, or more specifically, that communication and coordination have been haphazard at best when it comes to developing software.
Aside from the usual excuses of budgets, time schedules, or politics, the crux of the problem is not only the crevice that divides software development from the business, but the numerous functional silos that divide the software development organization itself.
Software developers have typically looked down at QA specialists as failed or would-be developers; software engineers look down on developers as journeyman at best, cowboys at worst; while enterprise architects wonder why nobody wants to speak to them.
Not only do you have functional silos and jealousies, but the kinds of metadata, artifacts, and rhythms vary all over the map as you proceed to different stages of the software lifecycle. Architecture deals with relatively abstract artifacts that have longer lifecycles, compared to code and test assets that are highly volatile. And depending on the nature of the business, requirements may be set in code or continually ephemeral. No wonder that the software delivery lifecycle has often resembled a game of telephone tag.
A decade ago, Rational pioneered the vision that tools covering different stages of software development belonged together. But it took a decade for the market that Rational created to actually get named – Application Lifecycle Management (ALM). And it took even longer for vendors that play in this space to figure out how the tooling should fit together.
What's interesting is that, unlike other more thoroughly productized market segments, there has been a wide diversity among ALM providers on where the logical touch points are for weaving what should be an integrated process.
IBM/Rational has focused on links between change management, defect management, and project portfolio management
Borland’s initial thrust has been establishing bi-directional flows from requirements to change management and testing, respectively
Serena and MKS have crafted common repositories grafting source code control and change management with requirements
Compuware attempts to federate all lifecycle activities as functions of requirements, from project management and source code changes to test and debugging
But what about going upstream, where you define enterprise architecture and apply it to specific systems? That's where Telelogic has placed its emphasis, initially tying requirements as inputs to enterprise architecture or vice versa.
It has now extended that capability to its UML modeler and Java code generation tool through integration with the same repository. What would be interesting would be generation of BPMN, the modeling notation for business process modeling, that several years ago joined UML in the OMG modeling language family. For now, Telelogic's Tau can generate UML from BPMN notation, but nothing more direct than that.
In looking at the different approaches by which vendors integrate their various ALM tooling, it's not just a matter of connecting the dots. The dots that are connected represent different visions of where the most logical intersections in the software delivery lifecycle occur. Should the lifecycle be driven by enterprise architecture, or should we drive it as a function of requirements or testing? Or should we skip the developer stuff altogether and just generate byte code from a BPMN or UML model?
It's an issue where the opportunity to play God might be all too tempting. The reality is, just as there is no such thing as a single grand unified software development process methodology, there is no single silver bullet when it comes to integrating the tools that are used for automating portions of the application lifecycle.
This article originally appeared in onStrategies.
Copyright © 2007, onStrategies.com
Tony Baer is the principal with analyst onStrategies. With 15 years in enterprise systems and manufacturing, Tony specialises in application development, data warehousing and business applications, and is the author of several books on Java and .NET.
Dell fills out XPS laptop line
Dell has rolled out its latest XPS laptop, a model that builds on the m1330, launched last May, with a bigger, 15.4in widescreen display and available with an optional slot-load Blu-ray Disc drive.
The XPS m1530 can be configured with a range of Intel Core 2 Duo mobile processors, up to 4GB of 667MHz DDR 2 memory and a number of hard drive options, including a 64GB solid-state disk. Graphics come courtesy of either an Nvidia GeForce 8400M GS with 128MB of video memory, or a 256MB GeForce 8600M GT.
Bu despite having a 15.4in diagonal size, the screen's resolution is just 1280 x 800 - a ratio more common with smaller displays
The laptop has the usual array of USB, Firewire, Ethernet (10/100Mb/s) and VGA ports, but it also features an HDMI connector to allow it to drive HD TVs. There's an eight-in-one memory card reader and an ExpressCard 54 slot too.
Other refinements include a two-megapixel webcam mounted above the display, Bluetooth 2.0 if you want it, a variety of Wi-Fi options, including 802.11n, and WAN cards too.
UK prices start at £699, US prices at $999. Available now, the m1530 comes in a choice of red, black and white colour schemes.
Iron Mountain lands ICANN data escrow agreement
Iron Mountain announced today that it has begun providing long-awaited data escrow services to ICANN and its panoply of approved registrars. Ever since the RegisterFly debacle exposed ICANN’s failure to account properly for the data escrow requirements of its Registrar Accreditation Agreement (RAA), data escrow has been at or near the top of the ICANN agenda.
ICANN-approved registrars provide domain registration and hosting services, and contact with a registrar is generally as close as your average domain holder gets to the nuts and bolts of the internet.
For those unfamiliar with RegisterFly saga, a bizarre personal feud between two business partners led to the first collapse of an ICANN-approved registrar. In the aftermath of this business failure, thousands of RegisterFly customers either lost their domains or were left in limbo for months. Had ICANN at the time enforced the RAA provision that required registrars to escrow registrants’ data, much of the consumer fallout and attendant bad press for ICANN could have been avoided.
“The vast majority of ICANN's accredited registrars offer high levels of service and integrity; however, as we have seen, there is the risk that poorly performing registrars can hurt registrants significantly. ICANN has selected Iron Mountain Digital as its escrow agent to help implement the Registrar Data Escrow program, a sensible and practical measure to protect registrants by storing and safeguarding a backup copy of domain name registration data in escrow,” said Paul Twomey, ICANN CEO and President, without mentioning RegisterFly by name – not to mention any of the other shoddy registrars out there, some of whom prefer not to take ICANN’s phone calls, as compliance director Stacy Burnette has acknowledged at the last couple of ICANN meetings.
The press release touts Iron Mountain’s experience and professionalism with escrowery.
“As the founder of the technology escrow industry, Iron Mountain is proud to have been selected for such an important escrow program,” said John Boruvka, vice president of Intellectual Property Management for Iron Mountain Digital. “ICANN joins thousands of customers worldwide who rely on Iron Mountain’s technology escrow services to protect their intellectual property.”
Other providers will also be allowed to provide escrow services subject to ICANN approval, but clearly the choice of Iron Mountain is meant to send a signal that ICANN is not going to tolerate the fly-by-night operators in data escrow that have existed on the fringes of the registrar community.®
Burke Hansen, attorney at large, heads a San Francisco law office
