[17973] in bugtraq
Re: IBM DB2 default account and password Vulnerability
daemon@ATHENA.MIT.EDU (R. Lonstein)
Fri Dec 8 03:33:06 2000
Mail-Followup-To: "R. Lonstein" <lonstein>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001206202931.A11497@technik.yi.org>
Date: Wed, 6 Dec 2000 20:29:31 -0500
Reply-To: "R. Lonstein" <lonstein@AGORON.COM>
From: "R. Lonstein" <lonstein@AGORON.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <007801c05ebf$caff3020$3300a8c0@dudu>; from benjurry@YEAH.NET on
Tue, Dec 05, 2000 at 09:32:18PM +0800
On Tue, Dec 05, 2000 at 09:32:18PM +0800, benjurry wrote:
[snip - hype]
> 2.Problem:
> During the installation of IBM DB2 V6.1 there is no prompt to the admin user to change the default passwords, leaving the possiblity for a user to gain access to the database and even the system.
> Under winnt/win2k,the account named db2admin,the default password is db2admin.Under linux the accounts named db2inst1,db2as,db2fenc1,and the default password is ibmdb2.
[snip]
I do not have the DB2 manuals at hand from home, but I believe that the
default accounts are mentioned both in the installation guide and the
vanilla-text install guide on the CD. I recall that under Solaris there
is also a warning when accepting the defaults that accounts will be
created.
Is it fair to assume that someone installing a product like DB2 is
likely to read the manual? Given the fact that this made the list, I'll
answer that question with, "No."
- Ross
