Product:
MySQL Eventum Issue / Bug Tracking System
Released:
12/28/2004
Description:
MySQL Eventum 1.3.1 contains an undocumented administrator account with an unknown password.
Systems Affected:
Technical Description:
The Eventum bug tracking system contains an enabled administrator account which is not documented. Afer a succesful installation, the system notifies you to change the password and login information for default administrator account admin@example.com), but does not mention system-account@example.com.
The account is created with an MD5 encrypted password which resisted basic dictionary cracking attempts, however anyone knowing the password (i.e., someone from the Eventum dev team, or via cracking) would be allowed login to any Eventum system.
Fix/Workaround:
MySQL reports Eventum release 1.4 resolves this issue.
Vendor Status:
MySQL was notified on 12/28/2004. The MySQL bug report system immediately makes issues public, which is why this release coincides with vendor disclosure.
Contacts:
sullo@cirt.net
References:
Updated information can be found on OSVDB.org under the following entries:
OSVDB-12605 | MySQL Eventum Default Vendor Account |