| VID |
21769 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The relevant installation of Horde application uses an administrator account without a password. The Horde Application Framework is an Web application framework written in PHP. The default installation of Horde3 for Debian Linux has a blank administrator password. A local or remote attacker can exploit this vulnerability to gain administrative access to the affected application. This may aid an attacker in further attacks against the underlying system; other attacks are also possible.
* References:
http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00280.html
* Platforms Affected:
Debian Horde 3.0.4
Linux Any version |
| Recommendation |
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Horde3 (3.0.4-4sarge1 or later), as listed in Debian Security Advisory DSA 884-1 at http://www.debian.org/security/2005/dsa-884
-- OR --
Set up the password for the Horde administrator account to a value that is difficult to guess immediately, as listed in the Horde Web site at http://www.horde.org/horde/docs/?f=INSTALL.html#configuring-horde |
| Related URL |
CVE-2005-3344 (CVE) |
| Related URL |
15337 (SecurityFocus) |
| Related URL |
(ISS) |
|
