14 Jun
2006
14 Jun
'06
9:29 p.m.
Hello,
I just noticed that openser_mysql.sh creates the username "admin" with the default openserrw password in the subscriber table.
This seems to introduce a security hole where a well-known username and password pair would exist on most virgin openser installations.
Is there a good reason to have that entry in the "subscriber" table? Is it used anywhere?
Now I know that we're supposed to change the mysql access passwords, but I have to admit that I didn't think to change a password actually emebedded IN the data of the mysql database.
Did I miss a critical security note somewhere alerting me to this default user?
Thanks, -mark