[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: are webapps allowed to have a default user with a default password?

On Mon, 3 Nov 2008 18:18:38 +0900 Paul Wise wrote:

> On Mon, Nov 3, 2008 at 5:40 PM, Evgeni Golov <sargentd@die-welt.net> wrote:
> 
> > while working on a fix for opendb's RC/Security bug #504173, I noticed
> > that opendb creates a default admin user "test" with "test" as password.
> > This is IMHO a security hole, but I would like to hear your opinion -
> > is this okay or not?
> 
> Sounds like a security issue to me, severity would depend on what
> admins can do and apache configuration though.

Apache config is autoadjusted (but you can disable this though) via the
maintainer scripts.
An admin can use the app, delete stuff, possibly exploit
CVE-2008-4796 :) - doesnt sound too good

Based on KiBi's words on IRC, opendb's popcon (22) and the count of
problems (CVE-2008-4796/#504173, this issue, 1 lintian error and 18
warnings[1]), why not just remove the package and let someone who is
interested upload a new upstream (upstream is at 1.5 now) after Lenny?

Regards

[1]
http://lintian.debian.org/reports/maintainer/schultmc@debian.org.html#opendb
Reply to: