Default Servlet Gateway password can allow unauthorized users to disable WebAccess.

  • 10067329
  • NOVL68022
  • 07-Jan-2002
  • 06-Feb-2003

Fact

Novell GroupWise WebAccess 5.5 EP

Novell Servlet Gateway

Symptom

Default Servlet Gateway password can allow unauthorized users to disable WebAccess.

Cause

Enhancement Pack WebAccess uses the Novell Servlet Gateway to processes requests. The install enables the Servlet Manager with a default user name and password.  The manager can be used to disable the various servlets running on the server.  An unauthorized user could log in to the Servlet Manager and disable WebAccess if the default user name and password is not changed.  

Fix

Novell recommends that the password be changed according to the follow procedure:

Edit the SYS:\JAVA\SERVLETS\SERVLET.PROPERTIES file. There is a section for ServletManager like the following:

# ServletManager servlet
servlet.ServletManager.code=com.novell.application.ServletGateway.ServletManager
servlet.ServletManager.initArgs=datamethod=POST,user=servlet,password=manager,bgcolor=#c0c0c0
servlet.ServletManager.preload=true

In the initialization arguments there is a user=servlet, password=manager that can be edited to reflect the user and password that you wish to use. You will then have to do a java -exit on the server, NSWEBDN and then an NSWEB to reload the servlet gateway and the web server.
  

Note

This has been fixed in GroupWise 6.  During installation you are now prompted for the username and password.