geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Woods (JIRA)" <j...@apache.org>
Subject [jira] Updated: (GERONIMO-3404) Using a Null Username allows access to a running 2.0 server
Date Tue, 25 Sep 2007 19:22:51 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-3404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Donald Woods updated GERONIMO-3404:
-----------------------------------

    Affects Version/s: 2.1
        Fix Version/s:     (was: 2.0.x)
                           (was: 2.0)
                       2.0.1

> Using a Null Username allows access to a running 2.0 server
> -----------------------------------------------------------
>
>                 Key: GERONIMO-3404
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3404
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0, 2.1
>         Environment: Released geronimo-tomcat6-jee5-2.0-bin.zip on WinXP and on Linux
>            Reporter: Donald Woods
>            Assignee: David Jencks
>            Priority: Critical
>             Fix For: 2.0.1, 2.1
>
>         Attachments: GERONIMO-3404.patch
>
>
> I was just testing the geronimo-tomcat6-jee5-2.0-bin.zip on a new WinXP machine and discovered
that anyone can administer a Geronimo server (local or remotely) if they enter a null Username
when prompted by the deploy or geronimo scripts.  I verified that the <user_home>\.geronimo-deployer
file did not exist on the WinXP machine and on a Linux box I used to verify the remote scenario....


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message