Knowing the md5 hash of the password, it is possible to gain access to the install tool
Solution is to use PHP sessions instead and make these "secure".
Reported by: Bernhard Kraft
Security Team OTRS reference: 2009050410000038
(issue imported from #M12309)