edubuntu-bugs team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: schooltool

>From README.Debian:
"By default a user 'manager' with password 'schooltool' is created with full access and modification privileges."

This is not a secure default. Based on paste.ini, it seems that the server does only listen on the loopback interface, which reduces the attack surface to XSRF. It is easy to imagine the user updating paste.ini and forgetting to change the password. I don't know where the password is stored, but some methods to fix this include:
1. add a debconf question to prompt for the password (preferred)
2. generate a hard-to-guess random password, with instructions in README.Debian on how to change it
3. update schooltool to have a non-usable default password, with instructions in README.Debian on how to change it
4. update README.Debian to mention how to change the password before adjusting paste.ini. Ie, something on how to lock down the administrator account before going into production

** Affects: schooltool (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to schooltool in ubuntu.
https://bugs.launchpad.net/bugs/726691

Title:
  schooltool is configured with known password on installation