assignment question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

assignment question

Art Manion

There is some software, part of the installation is a web server/application.  On initial install, the web application is configured with a default password.  Upon first login, the user is required to change the password, create new accounts(s), along with other first-time setup configuration activities.

IOW, if I obtain and install this software and walk away before completing the first-time setup, I've left myself exposed.

This is *barely* a vulnerability in my book, assuming there are sufficient warnings and documentation informing the user about the need to run the first-time setup.

CVE or no CVE?

Thanks,

  - Art









My answer is a weak "yes" with as low a severity/priority as possible.
Reply | Threaded
Open this post in threaded view
|

Re: assignment question

Kurt Seifried-2


On Tue, Dec 11, 2018 at 5:43 PM Art Manion <[hidden email]> wrote:

There is some software, part of the installation is a web server/application.  On initial install, the web application is configured with a default password.  Upon first login, the user is required to change the password, create new accounts(s), along with other first-time setup configuration activities.

IOW, if I obtain and install this software and walk away before completing the first-time setup, I've left myself exposed.

Can you set a password in some other way (e.g. feeding it a configuration option/file)? If yes, then you have a safe way to do this. If not I'd say it's CVE worthy. Precent: FreeNAS  CVE-2014-5334

 

This is *barely* a vulnerability in my book, assuming there are sufficient warnings and documentation informing the user about the need to run the first-time setup.

CVE or no CVE?

In my book, if you CAN do it safely, but pick an unsafe route, no CVE, but if you have no safe route to take, you win a CVE. 
 

Thanks,

  - Art









My answer is a weak "yes" with as low a severity/priority as possible.


--
Kurt Seifried
[hidden email]