Re: IBM DB2 default account and password Vulnerability

["R. Lonstein" <lonstein () AGORON COM>]

On Tue, Dec 05, 2000 at 09:32:18PM +0800, benjurry wrote:
        [snip - hype]
> 2.Problem:
>     During the installation of IBM DB2 V6.1 there is no prompt to the admin user to change the default passwords, 
> leaving the possiblity for a user to gain access to the database and even the system.
> Under winnt/win2k,the account named db2admin,the default password is db2admin.Under linux the accounts named 
> db2inst1,db2as,db2fenc1,and the default password is ibmdb2.
        [snip]

I do not have the DB2 manuals at hand from home, but I believe that the
default accounts are mentioned both in the installation guide and the
vanilla-text install guide on the CD. I recall that under Solaris there
is also a warning when accepting the defaults that accounts will be
created.

Is it fair to assume that someone installing a product like DB2 is
likely to read the manual? Given the fact that this made the list, I'll
answer that question with, "No."

- Ross