Bugtraq mailing list archives
Re: IBM DB2 default account and password Vulnerability
From: "R. Lonstein" <lonstein () AGORON COM>
Date: Wed, 6 Dec 2000 20:29:31 -0500
On Tue, Dec 05, 2000 at 09:32:18PM +0800, benjurry wrote: [snip - hype]
2.Problem: During the installation of IBM DB2 V6.1 there is no prompt to the admin user to change the default passwords, leaving the possiblity for a user to gain access to the database and even the system. Under winnt/win2k,the account named db2admin,the default password is db2admin.Under linux the accounts named db2inst1,db2as,db2fenc1,and the default password is ibmdb2.
[snip] I do not have the DB2 manuals at hand from home, but I believe that the default accounts are mentioned both in the installation guide and the vanilla-text install guide on the CD. I recall that under Solaris there is also a warning when accepting the defaults that accounts will be created. Is it fair to assume that someone installing a product like DB2 is likely to read the manual? Given the fact that this made the list, I'll answer that question with, "No." - Ross
Current thread:
- IBM DB2 default account and password Vulnerability benjurry (Dec 07)
- Re: IBM DB2 default account and password Vulnerability R. Lonstein (Dec 08)