MySQL Eventum Issue / Bug Tracking System
MySQL Eventum 1.3.1 contains an undocumented administrator account with an unknown password.
The Eventum bug tracking system contains an enabled administrator account which is not documented. Afer a succesful installation, the system notifies you to change the password and login information for default administrator account firstname.lastname@example.org), but does not mention email@example.com.
The account is created with an MD5 encrypted password which resisted basic dictionary cracking attempts, however anyone knowing the password (i.e., someone from the Eventum dev team, or via cracking) would be allowed login to any Eventum system.
MySQL reports Eventum release 1.4 resolves this issue.
MySQL was notified on 12/28/2004. The MySQL bug report system immediately makes issues public, which is why this release coincides with vendor disclosure.
Updated information can be found on OSVDB.org under the following entries:
|OSVDB-12605||MySQL Eventum Default Vendor Account|