Bug #7551 Eventum contains undocumented, active admin account
Submitted: 28 Dec 2004 7:05 Modified: 30 Dec 2004 15:37
Reporter: sullo
Status: Closed
Category:Eventum Severity:S2 (Serious)
Version:All OS:Any (All)
Assigned to: Bugs System Target Version:

[28 Dec 2004 7:05] sullo 
Description:
Eventum installs an administrator account 'system-account@example.com', which is enabled
and has a password set. Installation reminds the user to change the account
'admin@example.com', but does not mention this.  Since it is enabled, it is a backdoor
for anyone that knows the password.

How to repeat:
It is contained in the schema.sql file:
INSERT INTO %TABLE_PREFIX%user (usr_id, usr_created_date, usr_password, usr_full_name,
usr_email, usr_role, usr_preferences) VALUES (1, NOW(),
'14589714398751513457adf349173434', 'system', 'system-account@example.com', 7, '');

Suggested fix:
If the account is required by Eventum, set usr_status to inactive.
[28 Dec 2004 7:51] Bryan Alsdorf 
Thanks for the report, Since no one knows the password I don't consider this a serious
problem, but it is a problem. I have added a change to set this account inactive in our
next release.
[28 Dec 2004 8:13] sullo 
Agree that since the password is not known to most people (everyone?), it is limited in
threat. However, if someone could crack it would become a problem.
[30 Dec 2004 15:37] Joao Prado Maia 
This problem is fixed on the bitkeeper version of Eventum. We will release a new version
soon which will contain this fix.

Thanks for the report.