COMMAND

	GroupWise default username / password

SYSTEMS AFFECTED

	 Groupwise 5.5 Enhancement Pack

	 Groupwise 6.0

PROBLEM

	Adam Gray found following :
	

	 default username and password exists that controls the servlet manager.

	The servlet manager allows the  configuration  of  the  servlets  to  be
	loaded, reloaded or unloaded. This  is  more  of  an  annoyance  than  a
	exploit. The ability to control and unload servlets allows  an  attacker
	to deny web based services  to  users.  This  will  prevent  users  from
	accessing mail or other servlet based resources.
	

	 Exploit

	 =======

	

	

	http://server/servlet/ServletManager

	username servlet

	password manager

	

SOLUTION

	Change the password:
	

	Edit  the  SYS:\\JAVA\\SERVLETS\\SERVLET.PROPERTIES  file.  There  is  a
	section for ServletManager like the following:
	

	

	# ServletManager servlet

	servlet.ServletManager.code=com.novell.application.ServletGateway.ServletManager

	

	servlet.ServletManager.initArgs=datamethod=POST,user=servlet,password=manager,bgcolor

	

	#c0c0c0

	servlet.ServletManager.preload=true