Tumbleweed MMS No Default Password Vulnerability

Bugtraq ID:	1562
Class:	Design Error
CVE:	CVE-2000-0772
Remote:	Yes
Local:	Yes
Published:	Aug 10 2000 12:00AM
Updated:	Jul 11 2009 02:56AM
Credit:	Posted to Bugtraq by "NT HATER" <[email protected]> on August 10, 2000.
Vulnerable:	Tumbleweed Messaging Management System (MMS) 4.6 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 Tumbleweed Messaging Management System (MMS) 4.5 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 Tumbleweed Messaging Management System (MMS) 4.3 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0
Not Vulnerable:

Tumbleweed MMS No Default Password Vulnerability

Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk Worldsecure) creates a default user account 'sa' which by default uses no password. This lets a remote user connect to the database and delete or modify data.

Tumbleweed MMS No Default Password Vulnerability

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

Tumbleweed MMS No Default Password Vulnerability


Tumbleweed Messaging Management System (MMS) 4.3

• Tumbleweed saPassword
  http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/saPassword.exe

Tumbleweed Messaging Management System (MMS) 4.5

• Tumbleweed saPassword
  http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/saPassword.exe

Tumbleweed Messaging Management System (MMS) 4.6

• Tumbleweed saPassword
  http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/saPassword.exe

Tumbleweed MMS No Default Password Vulnerability

References:

• sa password and MMS security (Tumbleweed)
  
• Tumbleweed Messaging Management System (MMSTM) Homepage (Tumbleweed)