MySQL Eventum 1.3.1 Default Vendor Account

MySQL Eventum Issue / Bug Tracking System


MySQL Eventum 1.3.1 contains an undocumented administrator account with an unknown password.

Systems Affected:

  • MySQL Eventum 1.3.1
  • MySQL Eventum 1.3
  • MySQL Eventum 1.2.2
  • MySQL Eventum 1.2.1
  • MySQL Eventum 1.2
  • MySQL Eventum 1.1

Technical Description:
The Eventum bug tracking system contains an enabled administrator account which is not documented. Afer a succesful installation, the system notifies you to change the password and login information for default administrator account, but does not mention

The account is created with an MD5 encrypted password which resisted basic dictionary cracking attempts, however anyone knowing the password (i.e., someone from the Eventum dev team, or via cracking) would be allowed login to any Eventum system.

MySQL reports Eventum release 1.4 resolves this issue.

Vendor Status:
MySQL was notified on 12/28/2004. The MySQL bug report system immediately makes issues public, which is why this release coincides with vendor disclosure.


Updated information can be found on under the following entries:

OSVDB-12605 MySQL Eventum Default Vendor Account