Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 120352 - net-proxy/paros <= 3.2.5 default 'sa' password, db and system access
Summary: net-proxy/paros <= 3.2.5 default 'sa' password, db and system access
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2006-01-25 15:40 UTC by Rob M.
Modified: 2006-01-29 13:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Rob M. 2006-01-25 15:40:44 UTC
Affects: net-proxy/paros <= 3.2.5

Paros's HSQLDB integrated database application (in Java) has a default blank 'sa' password.

this allows access to all Paros information in the application database (which may be particularly sensitive as Paros is a security auditing application), and access to execute arbitary Java statements (part of stored procedure functionality).

because it is installed as an application, system access may be possible if a security policy is not properly defined for the JVM (most JVM's don't have one).

Resolution: upgrade to 3.2.8, purge older ebuilds from portage.

Credits: Andrew Christansen
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-25 22:50:40 UTC
net-proxy please advise.
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2006-01-26 00:07:47 UTC
I've marked 3.2.8 stable on x86 (its probation time elapsed anyway), erased old versions (excepting the latest stable - 3.2.4) and I've bumped to 3.2.9.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-26 11:29:40 UTC
ready for glsa
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-29 13:22:10 UTC
GLSA 200601-15

Thx for reporting.