| VID |
22360 |
| Severity |
40 |
| Port |
8080 |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Sybase EAServer Management server uses the default password for the 'jagadmin' user. Sybase EAServer is an open application server that runs on Microsoft Windows and Unix-based operating systems. Sybase EAServer is shipped with an administrator account enabled by default. The default password for the user "jagadmin" (that is already placed there for you in the initial run) is set to blank. A remote attacker with knowledge of this account could connect to an affected server using the Web interface to gain unauthorized access and make unauthorized changes to the server's configuration settings.
* References:
http://www.sybase.com/detail?id=1036742
http://securitytracker.com/alerts/2005/Jul/1014497.html
http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm
http://archives.neohapsis.com/archives/bugtraq/2005-07/0247.html
* Platforms Affected:
Sybase EAServer 4.2.5 to 5.2
Any operating system Any version |
| Recommendation |
Set up the default password for the user, "jagadmin" to a value that is difficult to guess immediately.
-- AND --
Upgrade to the latest EBF's for each released version, as detailed in the Sybase EAServer Security Issue Document Web page at http://www.sybase.com/detail?id=1036742 |
| Related URL |
(CVE) |
| Related URL |
14287 (SecurityFocus) |
| Related URL |
21419 (ISS) |
|
