Re: are webapps allowed to have a default user with a default password?
On Mon, 3 Nov 2008 18:18:38 +0900 Paul Wise wrote:
> On Mon, Nov 3, 2008 at 5:40 PM, Evgeni Golov <firstname.lastname@example.org> wrote:
> > while working on a fix for opendb's RC/Security bug #504173, I noticed
> > that opendb creates a default admin user "test" with "test" as password.
> > This is IMHO a security hole, but I would like to hear your opinion -
> > is this okay or not?
> Sounds like a security issue to me, severity would depend on what
> admins can do and apache configuration though.
Apache config is autoadjusted (but you can disable this though) via the
An admin can use the app, delete stuff, possibly exploit
CVE-2008-4796 :) - doesnt sound too good
Based on KiBi's words on IRC, opendb's popcon (22) and the count of
problems (CVE-2008-4796/#504173, this issue, 1 lintian error and 18
warnings), why not just remove the package and let someone who is
interested upload a new upstream (upstream is at 1.5 now) after Lenny?