Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Novell Groupwise servlet gateway default username and password

From: AGray () novacoast com
Date: Sat, 15 Dec 2001 23:14:08 -0800
OS Affected
NT/2000/Netware 5

Programs Affected
Groupwise 5.5 Enhancement Pack
Groupwise 6.0

Discussion
A default username and password exists that controls the servlet manager.
The servlet manager allows the configuration of the servlets to be loaded,
reloaded or unloaded. This is more of an annoyance than a exploit. The
ability to control and unload servlets allows an attacker to deny web based
services to users. This will prevent users from accessing mail or other
servlet based resources.

Exploit
http://server/servlet/ServletManager
username servlet
password manager

Solution
Change the password:

Edit the SYS:\JAVA\SERVLETS\SERVLET.PROPERTIES file.
There is a section for ServletManager like the following:

# ServletManager servlet
servlet.ServletManager.code=com.novell.application.ServletGateway.ServletManager

servlet.ServletManager.initArgs=datamethod=POST,user=servlet,password=manager,bgcolor

#c0c0c0
servlet.ServletManager.preload=true

Novell Support
http://support.novell.com/


Adam Gray
CTO
Novacoast, Inc.
agray () novacoast com
800-949-9933x4145
Previous By Date Next
Previous By Thread Next

Current thread: