Backdoor Discovered In Atlassian Crowd

An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."

Re:Not surprising

[BitZtream]

... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?

I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.