Rapid7 Vulnerability & Exploit Database

Urchin Web Analytics Default Password

Back to Search

Urchin Web Analytics Default Password

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
01/04/2005
Created
07/25/2018
Added
01/04/2005
Modified
03/21/2018

Description

Urchin is a web traffic analyzer package that usually runs on its own web server port. Urchin allows administrators to access and analyze web logs remotely. When the software is first installed, it uses a default username/password combination of "admin" with password "urchin". If this password is left unchanged, anyone can log in and view logs or change the configuration. Urchin logs can contain usernames used to log in to your sites. By viewing the configuration, a remote user could also obtain your Urchin serial number and registration information. It is also theoretically possible for a remote user to set up a new site profile and divulge information from arbitrary text files on the system by telling Urchin to treat certain directories (for example, the /etc directory) as web log directories.

Solution(s)

  • http-urchin-default-login-workaround

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;