HTTP basic authorization password guessed

Risk Level: High risk vulnerability  High

Check or Attack Name: httppassword

Platforms: Any
Description:

The WWW resource was found to be vulnerable. Default accounts or easily guessable passwords can give an attacker access to sensitive information.

Remedy:

Disable the account or change the password to something difficult to guess.

Unix: Disable login access to this Unix account if it is not needed:

  1. Edit the /etc/passwd file.
  2. Locate the account.
  3. Place an * (asterisk) in the password field.
  4. Place the string /bin/false in the shell field. An example of the /etc/passwd entry for a disabled guest account should resemble the following: guest:*:2311:50:Guest User:/home/guest:/bin/false
  5. Save and exit the file.

Windows: Select one of these choices:

  • Change the password on this account to something difficult to guess:

    1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
    2. Double-click the account to display the User Properties dialog box.
    3. To change the password to something difficult to guess, type and confirm the new password.
    4. Click OK.

  • —OR—

  • Disable login access to this Windows account:

    1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
    2. Double-click the account to display the User Properties dialog box.
    3. To disable the account, select the Account Disabled check box.
    4. Click OK.

References:

X-Force Logo
Know Your Risks