Paros: Default administrator password
Gentoo Linux Security Advisory
||GLSA 200601-15 / Paros
||January 29, 2006
||January 29, 2006: 01
All supported architectures
Paros's database component is installed without a password, allowing
execution of arbitrary system commands.
Paros is an intercepting proxy between a web server and a client
meant to be used for security assessments. It allows the user to watch
and modify the HTTP(S) traffic.
Andrew Christensen discovered that in older versions of Paros the
database component HSQLDB is installed with an empty password for the
database administrator "sa".
Since the database listens globally by default, an attacker can
connect and issue arbitrary commands, including execution of binaries
installed on the host.
There is no known workaround at this time.
All Paros users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --snyc
# emerge --ask --oneshot --verbose ">=net-proxy/paros-3.2.8"