blob: b5c2a15b25b9ffa744526b91849e30223509cadf [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200601-15">
<title>Paros: Default administrator password</title>
Paros's database component is installed without a password, allowing
execution of arbitrary system commands.
<product type="ebuild">Paros</product>
<announced>January 29, 2006</announced>
<revised>January 29, 2006: 01</revised>
<package name="net-proxy/paros" auto="yes" arch="*">
<unaffected range="gt">3.2.5</unaffected>
<vulnerable range="le">3.2.5</vulnerable>
Paros is an intercepting proxy between a web server and a client
meant to be used for security assessments. It allows the user to watch
and modify the HTTP(S) traffic.
Andrew Christensen discovered that in older versions of Paros the
database component HSQLDB is installed with an empty password for the
database administrator "sa".
<impact type="high">
Since the database listens globally by default, an attacker can
connect and issue arbitrary commands, including execution of binaries
installed on the host.
There is no known workaround at this time.
All Paros users should upgrade to the latest version:
# emerge --snyc
# emerge --ask --oneshot --verbose &quot;&gt;=net-proxy/paros-3.2.8&quot;</code>
<uri link="">CVE-2005-3280</uri>
<metadata tag="submitter" timestamp="Thu, 26 Jan 2006 06:06:09 +0000">
<metadata tag="bugReady" timestamp="Fri, 27 Jan 2006 21:44:45 +0000">