Admin user hack vulnerability

[GoogleCodeExporter]

What steps will reproduce the problem?
1. create admin user from the link on main page
2. Change it's password 
3. try step 1 again

What is the expected output? 

I expect step 3 to fail, as admi user is already created.

What do you see instead?

it overrides the first admin user and its password, with new one. Thus
anybody can get the access to the admin user by just clicking on the link.

What version of the product are you using? On what operating system?
1.06

Please provide any additional information below.

I suggest to remove this term from create_admin_user function

"and user.check_password('admin')"

Original issue reported on code.google.com by hus...@gmail.com on 20 Feb 2009 at 6:10

[GoogleCodeExporter]

That's intended. Otherwise someone could change the password for the admin user 
and
suddenly nobody could access the sample project, anymore.

Original comment by wkornew...@gmail.com on 20 Feb 2009 at 6:25

• Changed state: Invalid
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

But that is even worse, that means anybody anytime can get access to admin 
account 
and wreck the website.

What I normally expect, is owner on installation to set up admin password and 
this 
way he only gets access to admin panel.

Original comment by hus...@gmail.com on 20 Feb 2009 at 9:40

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Yes, and what prevents you from doing exactly that? Normally, nobody should use
"myapp" in his website, anyway.

Original comment by wkornew...@gmail.com on 21 Feb 2009 at 6:36

• Added labels: ****
• Removed labels: ****