Bug #7551 Eventum contains undocumented, active admin account
Submitted: 28 Dec 2004 6:05 Modified: 30 Dec 2004 14:37
Reporter: sullo Email Updates:
Status: Closed Impact on me:
Category:Eventum Severity:S2 (Serious)
Version:All OS:Any (All)
Assigned to: Bryan Alsdorf CPU Architecture:Any

[28 Dec 2004 6:05] sullo
Eventum installs an administrator account 'system-account@example.com', which is enabled and has a password set. Installation reminds the user to change the account 'admin@example.com', but does not mention this.  Since it is enabled, it is a backdoor for anyone that knows the password.

How to repeat:
It is contained in the schema.sql file:
INSERT INTO %TABLE_PREFIX%user (usr_id, usr_created_date, usr_password, usr_full_name, usr_email, usr_role, usr_preferences) VALUES (1, NOW(), '14589714398751513457adf349173434', 'system', 'system-account@example.com', 7, '');

Suggested fix:
If the account is required by Eventum, set usr_status to inactive.
[28 Dec 2004 6:51] Bryan Alsdorf
Thanks for the report, Since no one knows the password I don't consider this a serious problem, but it is a problem. I have added a change to set this account inactive in our next release.
[28 Dec 2004 7:13] sullo
Agree that since the password is not known to most people (everyone?), it is limited in threat. However, if someone could crack it would become a problem.
[30 Dec 2004 14:37] Joao Prado Maia
This problem is fixed on the bitkeeper version of Eventum. We will release a new version soon which will contain this fix.

Thanks for the report.