[wsas-java-dev] Security improvements to WSAS
Afkham Azeez
azeez at wso2.com
Sun Feb 4 22:35:52 PST 2007
James Clark wrote:
> If the Admin user has not yet logged in, what IP addresses is WSAS
> listening on? Is there a window of vulnerability between
>
> - the time when WSAS is installed and
> - the time when the Admin user changes the default password
>
> during which somebody unauthorized can log in using the default password
> from any IP address that can reach the WSAS machine? If so, then perhaps
> we need a better scheme.
Yes there is a Window of vulnerability. This can be handled easily in
the MSI, Deb & RPM installations, which can force the person carrying
out the installation to change the default admin password, during the
installation. In the case of the zip, what we can do is, when WSAS is
starting up for the first time, if it prompts for the new password,
until this is changed, WSAS will not open the transport ports.
-- Azeez
--
Afkham Azeez
GPG Fingerprint: 643F C2AF EB78 F886 40C9 B2A2 4AE2 C887 665E 0760
http://www.wso2.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://wso2.org/pipermail/wsas-java-dev/attachments/20070205/01d8c6ac/signature.pgp
More information about the Wsas-java-dev
mailing list