Open-Xchange Open Source Edition Default Credentials Vulnerability

Bugtraq ID:	18115
Class:	Design Error
CVE:	CVE-2006-2738
Remote:	Yes
Local:	No
Published:	May 27 2006 12:00AM
Updated:	Jan 14 2016 11:56PM
Credit:	This issue was discovered by Cemil Degirmenci.
Vulnerable:	Open-Xchange Open-Xchange 0.8.2
Not Vulnerable:

Open-Xchange Open Source Edition Default Credentials Vulnerability

The open-source edition of Open-Xchange is susceptible to a default-credentials vulnerability. This issue is due to a flaw in the installation process that results in an unintended account being created.

This issue allows remote attackers to use the default credentials to access various services, such as remote SSH, IMAP, and the webserver. This will aid them in the remote compromise of affected computers.

Open-Xchange Open Source Edition Default Credentials Vulnerability

Attackers use standard client applications to exploit this vulnerability.

Open-Xchange Open Source Edition Default Credentials Vulnerability

Solution:
Reportedly, the next release of Open-Xchange will include a fix for this issue. Users of affected packages should contact the vendor for information on obtaining fixed software.

Open-Xchange Open Source Edition Default Credentials Vulnerability

References:

• Bugzilla Bug 2815 (Open-Xchange)
  
• Open-Xchange Home Page (Open-Xchange)
  
• Wavecon Advisory: Open-Xchange <= 0.8.2 defaultuser with /bin/bash and default p (Cemil Degirmenci )