| VID |
22129 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Sambar web server allows to access the Admin page with no password.
Sambar Server is a multi-threaded HTTP, FTP and Proxy server for Windows environments. It provides a web interface for configuration purpose. By default, the Sambar Server 4.1beta server ships with the default account "admin" with no password. The server also ships with other default accounts without passwords such as "anonymous", "guest", though these accounts are non-privileged.
If the default configuration isn't changed, it allows a remote attacker to gain unauthorized access to the web server and to compromise the server. For example, a remote attacker can set the HTTP-Root to C:\ and delete files in it.
* References:
http://www.securityfocus.com/bid/2255
http://www.iss.net/security_center/static/1669.php |
| Recommendation |
Change the 'admin' username and password to secure via the web interface before a remote attacker change.
To change the password:
1. Access a web interface with the URL "http://hostname/session/adminlogin?RCpage=/sysadmin/index.stm" to login as the administrator.
2. After "Netowrk Password Input" windows is opened, enter "admin" username with no password.
3. Find the "admin" account from the follow path : Sambar Information -> User Management -> root
4. Enter new password into "Password" entry of "Update User" frame.
5. Click <Update User> button.
-- OR --
Upgrade the latest Sambar version(5.2 or later), a non-beta version, available from:
http://www.sambar.com |
| Related URL |
CVE-1999-0508 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
