Bug 120352

Summary:	net-proxy/paros <= 3.2.5 default 'sa' password, db and system access
Product:	Gentoo Security	Reporter:	Rob M. <thehandoftyr>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	net-proxy+disabled
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.securiteam.com/unixfocus/5NP0815HFG.html
Whiteboard:	B1 [glsa]
Package list:		Runtime testing required:	---

Description Rob M. 2006-01-25 15:40:44 UTC

Affects: net-proxy/paros <= 3.2.5

Paros's HSQLDB integrated database application (in Java) has a default blank 'sa' password.

this allows access to all Paros information in the application database (which may be particularly sensitive as Paros is a security auditing application), and access to execute arbitary Java statements (part of stored procedure functionality).

because it is installed as an application, system access may be possible if a security policy is not properly defined for the JVM (most JVM's don't have one).

Resolution: upgrade to 3.2.8, purge older ebuilds from portage.

Credits: Andrew Christansen

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-01-25 22:50:40 UTC

net-proxy please advise.

Comment 2 Alin Năstac (RETIRED) gentoo-dev

2006-01-26 00:07:47 UTC

I've marked 3.2.8 stable on x86 (its probation time elapsed anyway), erased old versions (excepting the latest stable - 3.2.4) and I've bumped to 3.2.9.

Comment 3 Stefan Cornelius (RETIRED) gentoo-dev

2006-01-26 11:29:40 UTC

ready for glsa

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-01-29 13:22:10 UTC

GLSA 200601-15

Thx for reporting.