|
|
Info |
Last Modified |
| 10 months ago |
|
|
|
|
Description |
By default, Eventum installs with an enabled default administrator account which is not documented. The 'system-account@example.com' account has an unknown password, but allows attackers who know this password to trivially access the Eventum system.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Authentication Management
Impact:
Loss of Confidentiality,
Loss of Integrity,
Loss of Availability
Exploit:
Exploit Unknown
Disclosure:
OSVDB Verified
|
|
Technical |
The schema.sql file, loaded upon Eventum setup, contains the account 'system-account@example.com' with the MD5 hash of '14589714398751513457adf349173434'.
|
|
Solution |
Upgrade to version 1.4 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: change the system-account@example.com's password in the database, or setting the account to inactive, which will alleviate the problem and should leave Eventum functioning.
|
|
Products |
|
Eventum
 |
1.3.1 |
1.3 |
1.2.2 |
1.2.1 |
1.2 |
1.1 |
|
|
|
|
|
|
Credit |
- Sullo - sullo
 cirt.net - cirt.net
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
