Postgres Plus Advanced Server is an enterprise database solution. It includes several productivity tools, such as Migration Studio, Postgres Studio, DBA Management Server, and DBA Monitoring Console.
An authentication bypass vulnerability exists in the browser-based DBA Management Server tool included with EnterpriseDB Postgres Plus Advanced Server versions 8.x prior to 126.96.36.199. Postgres Plus Advanced Server uses JBoss Application Server to execute the DBA Management Server. The JBoss configuration does not limit access to the jmx-console and web-console applications. Unauthenticated clients can use these applications to upload and execute malicious files.
Update DBA Management Server to Build 39, or remove the jmx-console and web-console applications from the Postgres Plus Advanced Server.
This exploit works against EnterpriseDB Postgres Plus Advanced Server 188.8.131.52 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP1 English (DEP OptOut).