MySQL Eventum 1.3.1 Default Vendor Account

Product:
MySQL Eventum Issue / Bug Tracking System

Released:
12/28/2004

Description:
MySQL Eventum 1.3.1 contains an undocumented administrator account with an unknown password.

Systems Affected:

  • MySQL Eventum 1.3.1
  • MySQL Eventum 1.3
  • MySQL Eventum 1.2.2
  • MySQL Eventum 1.2.1
  • MySQL Eventum 1.2
  • MySQL Eventum 1.1

Technical Description:
The Eventum bug tracking system contains an enabled administrator account which is not documented. Afer a succesful installation, the system notifies you to change the password and login information for default administrator account admin@example.com), but does not mention system-account@example.com.

The account is created with an MD5 encrypted password which resisted basic dictionary cracking attempts, however anyone knowing the password (i.e., someone from the Eventum dev team, or via cracking) would be allowed login to any Eventum system.

Fix/Workaround:
MySQL reports Eventum release 1.4 resolves this issue.

Vendor Status:
MySQL was notified on 12/28/2004. The MySQL bug report system immediately makes issues public, which is why this release coincides with vendor disclosure.

Contacts:
sullo@cirt.net

References:
Updated information can be found on OSVDB.org under the following entries:

OSVDB-12605 MySQL Eventum Default Vendor Account
Vulnerabilities: