Re: are webapps allowed to have a default user with a default password?
On Mon, Nov 3, 2008 at 5:40 PM, Evgeni Golov <firstname.lastname@example.org> wrote:
> while working on a fix for opendb's RC/Security bug #504173, I noticed
> that opendb creates a default admin user "test" with "test" as password.
> This is IMHO a security hole, but I would like to hear your opinion -
> is this okay or not?
Sounds like a security issue to me, severity would depend on what
admins can do and apache configuration though. IMO the sysadmin should
be responsible for setting the initial password, or it might be
reasonable to generate a random password.