CNET News.com: Red Hat glitch leaves Web servers wide openApr 26, 2000, 01:11 (3 Talkback[s])
(Other stories by Stephen Shankland)
[ Thanks to Frank Earl for this link. ]
"Red Hat's Piranha software, which lets several Linux machines share a task such as delivering Web pages, has a password-protected feature used to control the software. But the part of the software that checks the password also will run whatever command an attacker wants, said Mike Wangsmo, director of the Piranha product."
"On top of that problem, Red Hat 6.2 shipped with the password set--username "piranha" and password "q"--meaning that an administrator couldn't use the management software in the first place unless that password were known, Wangsmo said. The product is supposed to prompt for a password the first time it's used."
"Internet Security Systems (ISS), the group that found the vulnerability, was more critical of the problems, giving it its most severe rating and saying it could provide a launch pad for a more severe attack."