On Mon, 3 Nov 2008 18:18:38 +0900 Paul Wise wrote: > On Mon, Nov 3, 2008 at 5:40 PM, Evgeni Golov <[EMAIL PROTECTED]> wrote: > > > while working on a fix for opendb's RC/Security bug #504173, I noticed > > that opendb creates a default admin user "test" with "test" as password. > > This is IMHO a security hole, but I would like to hear your opinion - > > is this okay or not? > > Sounds like a security issue to me, severity would depend on what > admins can do and apache configuration though.
Apache config is autoadjusted (but you can disable this though) via the maintainer scripts. An admin can use the app, delete stuff, possibly exploit CVE-2008-4796 :) - doesnt sound too good Based on KiBi's words on IRC, opendb's popcon (22) and the count of problems (CVE-2008-4796/#504173, this issue, 1 lintian error and 18 warnings[1]), why not just remove the package and let someone who is interested upload a new upstream (upstream is at 1.5 now) after Lenny? Regards [1] http://lintian.debian.org/reports/maintainer/[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]