| VID |
22139 |
| Severity |
40 |
| Port |
8888 |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Sun AnswerBook2 allows remote users to access unauthorized administrative scripts.
Sun AnswerBook2 is a utility that allows users to view Sun online documentation using a Web browser. Inso DynaWeb webserver, dwhttpd, is used as a subcomponent in products such as Sun's AnswerBook2. AnswerBook2 is shipped as part of the Solaris operating environment.
A vulnerability regarding the lack of authentication in AnswerBook2 versions 1.2 through 1.4.2 allow a remote attacker to gain unauthorized access to administrative scripts. This can allow the attacker to perform administrative functions, such as creating a new admin user or view the server's error log.
For example, the following URL will display the error log of the local AnswerBook2 server:
http://localhost:8888/ab2/@AdminViewError
There are many more (possibly more useful) scripts that an attacker can abuse, including AdminAddadmin (add user 'foo' with password 'bar'):
http://localhost:8888/ab2/@AdminAddadmin?uid=foo&password=bar&re_password=bar
Platforms Affected:
Sun AnswerBook2 1.2
Sun AnswerBook2 1.3
Sun AnswerBook2 1.4
Sun AnswerBook2 1.4.1
Sun AnswerBook2 1.4.2 |
| Recommendation |
No remedy available as of August 2002.
If not needed, disable the AnswerBook2 facility. To disable it:
1. kill the dwhttpd daemon as the follow:
# /etc/init.d/ab2mgr stop
2. Rename RC script file not to start from the bootscript as the follow:
# mv /etc/rc2.d/S96ab2mgr /etc/rc2.d/s96ab2mgr |
| Related URL |
CVE-2002-2425 (CVE) |
| Related URL |
5383 (SecurityFocus) |
| Related URL |
9756 (ISS) |
|
