| VID |
25054 |
| Severity |
40 |
| Port |
9001 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The HSQLDB database server is running with a default username and password set. HSQLDB is an open-source database server written in Java, and its database engine is listening on TCP port 9001 for network server database connections using JDBC. The default installation of HSQLDB has the default 'sa' account enabled without a password. In many cases, the built-in HSQLDB database could contain a default password that can be accessed remotely. A remote attacker could use this flaw to execute arbitrary SQL commands through JDBC against the affected host.
* References:
http://hsqldb.org/
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0411.html
* Platforms Affected:
HSQLDB database server Any version
Any operating system Any version |
| Recommendation |
Change the password for the default 'sa' account to something difficult to guess, or restrict access to trusted IP addresses only. |
| Related URL |
CVE-2005-3280,CVE-2005-4668 (CVE) |
| Related URL |
15141 (SecurityFocus) |
| Related URL |
22557 (ISS) |
|
