Re: are webapps allowed to have a default user with a default password?

To: debian-devel@lists.debian.org
Subject: Re: are webapps allowed to have a default user with a default password?
From: "Paul Wise" <pabs@debian.org>
Date: Mon, 3 Nov 2008 18:18:38 +0900
Message-id: <[🔎] e13a36b30811030118v1fb70664x341d27e8844e0b36@mail.gmail.com>
In-reply-to: <[🔎] gemde7$9gc$1@ger.gmane.org>
References: <[🔎] gemde7$9gc$1@ger.gmane.org>

On Mon, Nov 3, 2008 at 5:40 PM, Evgeni Golov <sargentd@die-welt.net> wrote:

> while working on a fix for opendb's RC/Security bug #504173, I noticed
> that opendb creates a default admin user "test" with "test" as password.
> This is IMHO a security hole, but I would like to hear your opinion -
> is this okay or not?

Sounds like a security issue to me, severity would depend on what
admins can do and apache configuration though. IMO the sysadmin should
be responsible for setting the initial password, or it might be
reasonable to generate a random password.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: are webapps allowed to have a default user with a default password?
  - From: Evgeni Golov <sargentd@die-welt.net>

References:
- are webapps allowed to have a default user with a default password?
  - From: Evgeni Golov <sargentd@die-welt.net>

Prev by Date: Re: DFSG violations: non-free but no contrib
Next by Date: Re: are webapps allowed to have a default user with a default password?
Previous by thread: are webapps allowed to have a default user with a default password?
Next by thread: Re: are webapps allowed to have a default user with a default password?
Index(es):
- Date
- Thread