|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1012 CVE : CVE-2006-2738 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : No Credit : Cemil Degirmenci (cd wavecon de) Published : 03.06.2006
Advisory Content : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory Name Open-Xchange defaultuser with /bin/bash Vendor Open-Xchange Inc. Product Open-Xchange Version < 0.8.2 Author Cemil Degirmenci Risk high o Description: ======================= The OPEN-XCHANGE Collaboration and Integration Server Environment allows you to store appointments, contacts, tasks, email messages, bookmarks, documents, and many more elements, and share them with other users. It can be accessed via any modern Web browser and multiple fat clients like MS Outlook, Palm devices, KDE Kontact, Apple's iCAL, Konqueror, Mozilla Calendar, any many more, based on open standards and interfaces. Third party products can access this application over many different interfaces such as WebDAV (XML), LDAP, iCal, an API, and HTTP/S o Vulnerability ======================= There is a defaultuser with username "mailadmin" and password "secret" in Open-Xchange-LDAP. dn: uid=mailadmin,ou=Users,ou=OxObjects,dc=example,dc=org objectClass: top objectClass: shadowAccount objectClass: posixAccount objectClass: person objectClass: inetOrgPerson objectClass: OXUserObject uidNumber: 1001 homeDirectory: /home/mailadmin/ loginShell: /bin/bash mailEnabled: OK gidNumber: 500 mailDomain: example.org ou: Administration uid: mailadmin sn: Admin preferredLanguage: EN mail: mailadmin (at) example (dot) org [email concealed] o: Example Organization smtpServer: localhost imapServer: localhost alias: postmaster (at) example (dot) org [email concealed] alias: root (at) example (dot) org [email concealed] givenName: Admin cn: Admin Admin shadowMin: 0 shadowMax: 9999 shadowWarning: 7 shadowExpire: 0 userPassword: secret OXAppointmentDays: 5 OXGroupID: 500 OXTaskDays: 5 OXTimeZone: Europe/Berlin This vulnerability only appears in the opensource version of Open-Xchange o Solution ======================= Be aware before you activate Unix-Authentification against Open-Xchange and change the password and loginshell of this user. Don't trust default-installations at all. o Reference ======================= http://www.open-xchange.org/bugzilla/show_bug.cgi?id=2815 o Notes ======================= The vendor was informed 2006-05-18. There was also a news on the german newssite golem.de on 2006-05-19 (http://www.golem.de/0605/45407.html) - -- Wavecon IT-Solutions GbR Frankenstrasse 9 - 90762 Fuerth Email: support (at) wavecon (dot) de [email concealed] - Web: http://www.wavecon.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEd1aLudsr6D13pqsRAoxcAJsGQz5ccJUeLBjLI0gX//t8l2hEYwCgkGb2 ah1cR+Jvf+bClo3zmPUo97k= =Cba0 -----END PGP SIGNATURE-----  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |