Uploaded image for project: 'Geronimo'
  1. Geronimo
  2. GERONIMO-3404

Using a Null Username allows access to a running 2.0 server

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.0, 2.1
    • 2.0.1, 2.1
    • security
    • Security Level: public (Regular issues)
    • None
    • Released geronimo-tomcat6-jee5-2.0-bin.zip on WinXP and on Linux

    • Patch Available
    • Regression

    Description

      I was just testing the geronimo-tomcat6-jee5-2.0-bin.zip on a new WinXP machine and discovered that anyone can administer a Geronimo server (local or remotely) if they enter a null Username when prompted by the deploy or geronimo scripts. I verified that the <user_home>\.geronimo-deployer file did not exist on the WinXP machine and on a Linux box I used to verify the remote scenario....

      Attachments

        1. GERONIMO-3404.patch
          6 kB
          Vamsavardhana Reddy

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            djencks David Jencks
            drwoods Donald Woods
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment