The JBoss EAP/EWP 5.2.0 GUI installer can generate an auto-install XML file that contains the admin/sucker password in plain text. This file when saved on disk is set as being world-readable. This means any local user can view the password which could then be used to gain administrator access to an EAP/EWP instance.
Acknowledgements: This issue was discovered by Arun Neelicattu of the Red Hat Security Response Team.
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0207 https://rhn.redhat.com/errata/RHSA-2013-0207.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0206 https://rhn.redhat.com/errata/RHSA-2013-0206.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html