发布时间 :2005-10-23 06:02:00
修订时间 :2008-09-05 16:53:57

[原文]Paros 3.2.5 uses a default password for the "sa" account in the underlying HSQLDB database and does not restrict access to the local machine, which allows remote attackers to gain privileges.

[CNNVD]Paros HSQLDB远程认证绕过漏洞(CNNVD-200510-171)

        Paros Prox是一个对Web应用程序的漏洞进行评估的代理程序。
        Paros 3.2.5在底层HSQLDB数据库中为 "sa" 帐户使用默认的密码,而且不限制对本地机器的访问,可以使远程攻击者获得特权。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  XF  paros-password-security-bypass(22557)
(PATCH)  BID  15141
(UNKNOWN)  BUGTRAQ  20060130 Re: [Full-disclosure] [ GLSA 200601-15 ] Paros: Default administrator password

- 漏洞信息

Paros HSQLDB远程认证绕过漏洞
高危 设计错误
2005-10-23 00:00:00 2005-10-24 00:00:00
        Paros Prox是一个对Web应用程序的漏洞进行评估的代理程序。
        Paros 3.2.5在底层HSQLDB数据库中为 "sa" 帐户使用默认的密码,而且不限制对本地机器的访问,可以使远程攻击者获得特权。

- 公告与补丁

        Paros Paros 3.2.5
        Paros Paros 3.2.6

- 漏洞信息

ParosProxy hsqldb Default Blank sa Password
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

ParosProxy contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when hsqldb starts due to listening on all interfaces with a default password, which will disclose database content information resulting in a loss of confidentiality.

- 时间线

2005-10-07 2005-10-03
Unknow Unknow

- 解决方案

Upgrade to version 3.2.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Paros HSQLDB Remote Authentication Bypass Vulnerability
Design Error 15141
Yes No
2005-10-19 12:00:00 2006-02-07 08:54:00
FortConsult ApS is credited with the discovery of this vulnerability. Marc Schoenefeld <> is credited with pointing out the localhost attack scenario.

- 受影响的程序版本

Paros Paros 3.2.6
Paros Paros 3.2.5
Gentoo Linux
Paros Paros 3.2.7
Paros Paros 3.2.6

- 不受影响的程序版本

Paros Paros 3.2.7
Paros Paros 3.2.6

- 漏洞讨论

Paros is prone to a remote authentication-bypass vulnerability.

This issue may result in the disclosure of sensitive information, and possible execution of commands on the victim machine.

Paros version 3.2.5 is affected; earlier versions may also be vulnerable.

Update: version 3.2.6 was released and addresses this issue from remote computers, because the database listens only on localhost by default. This still allows local users to connect, since the default username of 'sa' with a blank password is still used.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released version 3.2.7 to address this issue. Version 3.2.7 uses the database in-process, and remote/localhost access is no longer possible.

Gentoo Linux has released security advisory GLSA 200601-15 addressing this issue. Gentoo recommends that all Paros users upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/paros-3.2.8"

Paros Paros 3.2.5

Paros Paros 3.2.6

- 相关参考