Missing admin sql password in Okena StormWatch

From: Marc Ruef (marc.ruefat_private)
Date: Tue Dec 17 2002 - 23:06:19 PST

Next message: Mitja Kolsek (ACROS Lists): "Security Paper: Session Fixation Vulnerability in Web-based Applications"

Previous message: Curator at Security Digest Archives: "[securitydigest.org]: Changes for December 2002"
Next in thread: Marcus Gavel: "RE: Missing admin sql password in Okena StormWatch"
Reply: Marcus Gavel: "RE: Missing admin sql password in Okena StormWatch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

I was working with Okena StormWatch[1] - a really interesting commercial
intrusion prevention product - and saw that there is the SQL password
for the admin account (sa) missing.

With a SQL client and a blank password it's possible for everyone who
can connect to the manager to compromise the whole system/network.

My notification was sent on Fri, 15 Nov 2002 14:21:01 +0100 to
infoat_private - Nothing came back.

Thanks to Mario Robic for helping discovering this problem.

Bye, Marc

[1] http://www.okena.com

-- 
Computer, Technik und Security
http://www.computec.ch

Next message: Mitja Kolsek (ACROS Lists): "Security Paper: Session Fixation Vulnerability in Web-based Applications"
Previous message: Curator at Security Digest Archives: "[securitydigest.org]: Changes for December 2002"
Next in thread: Marcus Gavel: "RE: Missing admin sql password in Okena StormWatch"
Reply: Marcus Gavel: "RE: Missing admin sql password in Okena StormWatch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 11:32:11 PST