Info

Disclosure

Dec 28, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

By default, Eventum installs with an enabled default administrator account which is not documented. The 'system-account@example.com' account has an unknown password, but allows attackers who know this password to trivially access the Eventum system.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management
Impact: Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Upgrade to version 1.4 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: change the system-account@example.com's password in the database, or setting the account to inactive, which will alleviate the problem and should leave Eventum functioning.

Products

MySQL	Eventum	1.3.1
		1.3
		1.2.2
		1.2.1
		1.2
		1.1

References

Security Tracker: 1012736
Bugtraq ID: 12133
Secunia Advisory ID: 13677
Other Advisory URL: http://bugs.mysql.com/bug.php?id=7551
http://www.cirt.net/advisories/eventum_backdoor.shtml
Vendor URL: http://dev.mysql.com/downloads/other/eventum/index.html

Credit

Sullo - sullocirt.net - cirt.net

Direct URL: http://osvdb.org/12605