avast! Server Edition before 4.7.726 does not demand a password in a certain intended context, even when a password has been set, which allows local users to bypass authentication requirements.
https://exchange.xforce.ibmcloud.com/vulnerabilities/32269
http://www.vupen.com/english/advisories/2007/0499
http://www.securityfocus.com/bid/22425
http://www.avast.com/eng/avast-4-server-revision-history.html