vendor:
Shiva Access Manager
by:
SecurityFocus
7.5
CVSS
HIGH
Default Configuration Vulnerability
259
CWE
Product Name: Shiva Access Manager
Affected Version From: Solaris and Windows NT
Affected Version To: Solaris and Windows NT
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Solaris and Windows NT
2002
Shiva Access Manager Default Configuration Vulnerability
Shiva Access Manager is vulnerable to a default configuration problem in its Solaris version (and possibly for NT as well, though uncomfirmed). When configuring the Access Manager for LDAP, it prompts for the root 'Distinguished Name' and password. It stores this information in a textfile that is owned by root and set world readable by default, $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini. This file also contains information such as the LDAP server's hostname and server port. This information can be used to completely compromise the LDAP server.
Mitigation:
Ensure that the $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini file is not world readable.
