Apache Axis2 Admin Account Default Password

Strike ID:
E10-36301
CVSS:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
False Positive:
t
Variants:
1
Year:
2010

Description

This strike exploits a vulnerability in several applications. Examples include, but are not limited to, SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15. The vulnerability is caused by the inclusion of Apache Axis2 with default credentials for the administrator. A remote, unauthenticated attacker could use these credentials to access Axis2 using the admin account, bypassing the application's own security mechanisms. Further on, he would leverage other options (such as file upload) in order to upload a crafted web service file and execute code remotely under the SYSTEM account. The strike is implemented targeting CA ARCserve D2D r15. Post-authentication actions are not simulated as they would largely depend on the attacker's own intentions.

CVE

References

Bid