[原文]Netwin WebNews 1.1k CGI program includes several default usernames and cleartext passwords that cannot be deleted by the administrator, which allows remote attackers to gain privileges via the username/password combinations (1) testweb/newstest, (2) alwn3845/imaptest, (3) alwi3845/wtest3452, or (4) testweb2/wtest4879.
Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org .
This vulnerability was submitted to BugTraq on February 21st, 2002 by Shai <email@example.com>.
NetWin WebNEWS 1.1 k
NetWin WebNEWS 1.1 j
NetWin WebNEWS 1.1 i
NetWin WebNEWS 1.1 h
WebNEWS is a server product designed to provide access to news groups through a web interface. It is able to connect to any standard NNTP server, and is available for Windows, BSD, Linux and most Unix systems.
WebNEWS contains a number of default accounts which have been hard-coded into the program.
The following default accounts exist (username/password):
A remote attacker who is aware of these default accounts may use them to gain unauthorized access to the WebNEWS service.
There is no exploit required.
Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.