[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Fw: Missing admin sql password in Okena StormWatch
From:       George Bakos <gbakos () ists ! dartmouth ! edu>
Date:       2002-12-18 18:43:24
[Download RAW message or body]

Users of Okena Stormwatch intrusion prevention software should be aware of
the following and take steps (firewalling?) to ensure that outsiders, and
other unauthorized players, cannot connect to the manager.

If you already subscribe to bugtraq, my apologies for the duplicate posting.

Please folks, try your best NOT to deploy security solutions that suffer
from 3 year old well-known vulnurabilities.

gb

Begin forwarded message:

Date: Wed, 18 Dec 2002 08:06:19 +0100
From: Marc Ruef <marc.ruef@computec.ch>
To: bugtraq@securityfocus.com, submissions@packetstormsecurity.org, news@securiteam.com
Subject: Missing admin sql password in Okena StormWatch


Hi!

I was working with Okena StormWatch[1] - a really interesting commercial
intrusion prevention product - and saw that there is the SQL password
for the admin account (sa) missing.

With a SQL client and a blank password it's possible for everyone who
can connect to the manager to compromise the whole system/network.

My notification was sent on Fri, 15 Nov 2002 14:21:01 +0100 to
info@OKENA.com - Nothing came back.

Thanks to Mario Robic for helping discovering this problem.

Bye, Marc

[1] http://www.okena.com

-- 
Computer, Technik und Security
http://www.computec.ch



-- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakos@ists.dartmouth.edu
voice 	603-646-0665
fax	603-646-0666
Key fingerprint = D646 8F91 F795 27EC FF8B  8C95 B102 9EB2 081E CB85

[prev in list] [next in list] [prev in thread] [next in thread]