Admin password can be set to empty
|Reported by:||bruno@…||Owned by:||adrian|
|Severity:||Keywords:||password admin user auth|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Following this article: http://coderseye.com/2007/howto-reset-the-admin-password-in-django.html it appears that you can use the User model to set any password (including admin) to an empty string without a error message.
$ sudo ./manage.py shell Python 2.4.3 (#2, Oct 6 2006, 07:52:30) [GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2 Type "help", "copyright", "credits" or "license" for more information. (InteractiveConsole) >>> from django.contrib.auth.models import User >>> users = User.objects.all() >>> users [<User: bruno>] >>> users.set_password('') >>> users.save() >>>
Worst is, if you connect to the admin interface, it lets you in using an empty password.
Change History (4)
comment:1 Changed 7 years ago by Simon G. <dev@…>
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Design decision needed