Menu
▾
▴
phphelpdesk-help
|
From: <tu...@tu...> - 2001-11-19 15:58:45
|
I find a hole on your demo site..And I change all password to enter the helpdesk..Please make warning to helpdesk users..If you need the password I can send you..See you later.. -- _____________________________________________ Merhaba bedava mail ve üyelik http://turks.i-p.com BÝZE KATIL. Powered by Instant Portal |
|
From: alister a. <ali...@ut...> - 2001-11-20 02:03:58
|
Yes. And that's helpful. Unless you're a script kiddie wannabe, you would not do this. Do you not realise that it's self-evident that a program like this isn't immensely secure? Demo sites *aren't supposed* to have top security on them in any case, as otherwise the demo is somewhat limited. Further, it's polite to point out the security hole in a non-malicious way - emailing the sourceforge project leader would be one such way. Changing the password and attempting to hold the demo site to ransom is *not* one such way. It would be polite now to change the passwords back to their originals. If you want to secure your helpdesk system, you might want to restrict the IP addresses that can access it, and ensure a valid reverse lookup is performed. Regards, Alister At 02:58 AM 11/20/2001, tu...@tu... wrote: >I find a hole on your demo site..And I change all password to enter the >helpdesk..Please make warning to helpdesk users..If you need the password >I can send you..See you later.. >-- >_____________________________________________ >Merhaba bedava mail ve üyelik http://turks.i-p.com >BÝZE KATIL. > >Powered by Instant Portal > >_______________________________________________ >Phphelpdesk-help mailing list >Php...@li... >https://lists.sourceforge.net/lists/listinfo/phphelpdesk-help -- Alister Air Ph 9514 1277 IT Manager Fx 9514 1656 Faculty of Science, University of Technology Sydney "I will never apologize for the United States of America. I don't care what the facts are." George H Bush, 1988, after the U.S. warship Vincennes shot down an Iranian airliner in a commercial corridor, killing 290 civilians. |
|
From: Kevin M. S. <sh...@cg...> - 2001-11-20 10:38:09
|
On Tue, 20 Nov 2001, alister air wrote: > such way. Changing the password and attempting to hold the demo site to > ransom is *not* one such way. It would be polite now to change the > passwords back to their originals. I agree with Alister. If anyone needs assistance recovering from such an act, then email me directly. I can help them change the password back without the help of the person that changed it. -k |
|
From: Pim v. S. <pim...@nl...> - 2001-11-20 13:22:48
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I rather like to know what the leak exactly is and how to solve it. Is it possible for anyone to tell? Regards, Pim > -----Oorspronkelijk bericht----- > Van: php...@li... > [mailto:php...@li...]Namens Kevin > M. Shortt > Verzonden: dinsdag 20 november 2001 12:10 > Aan: alister air > CC: tu...@tu...; php...@li... > Onderwerp: Re: [Phphelpdesk-help] A hole about helpdesk.. > > > > > On Tue, 20 Nov 2001, alister air wrote: > > > such way. Changing the password and attempting to hold the > demo site to > > ransom is *not* one such way. It would be polite now to change > > the passwords back to their originals. > > I agree with Alister. If anyone needs assistance recovering from > such an act, then email me directly. I can help them change the > password back without the help of the person that changed it. > > > -k > > > > > _______________________________________________ > Phphelpdesk-help mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phphelpdesk-help -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO/pZdY5pIpBZNFf7EQIIyQCfVCxOhhh0SLLuukcmieTv+Bzje/IAnRDo rcLeZnBdGYLxLS5HHELrgG5K =XfY3 -----END PGP SIGNATURE----- |
|
From: Kevin M. S. <sh...@cg...> - 2001-11-20 13:35:15
|
On Tue, 20 Nov 2001, Pim van Stam wrote: > I rather like to know what the leak exactly is and how to solve it. > Is it possible for anyone to tell? > I posted last week about one issue I discovered. If the issue is known about, and all default usernames/passwords are cleaned up properly, then I really isn't any way a user could get the access. The issue I discovered can be read in detail at: http://sourceforge.net/tracker/index.php?func=detail&aid=481678&group_id=5706&atid=205706 The issue of the demo site password being changed, was that the default usernames with default privileges were installed and unchanged. so anyone familiar with phphelpdesk would be able to guess it, and comprise the phphelpdesk demo. That's the extent of it really. All and all the software is sound. To follow the information posted on the url above, click on the "Browse" link near the top of the page, that will bring you to the index of posts for phphelpdesk. I hope this helps. -k |
|
From: Pim v. S. <pim...@nl...> - 2001-11-20 14:35:04
|
> -----Oorspronkelijk bericht----- > Van: php...@li... > [mailto:php...@li...]Namens Kevin M. > Shortt > Verzonden: dinsdag 20 november 2001 15:08 > Aan: Pim van Stam > CC: php...@li... > Onderwerp: RE: [Phphelpdesk-help] A hole about helpdesk.. > > > > > On Tue, 20 Nov 2001, Pim van Stam wrote: > > > I rather like to know what the leak exactly is and how to solve it. > > Is it possible for anyone to tell? > > > > I posted last week about one issue I discovered. > If the issue is known about, and all default usernames/passwords > are cleaned up properly, then I really isn't any way a user > could get the access. > > The issue I discovered can be read in detail at: > http://sourceforge.net/tracker/index.php?func=detail&aid=48167 > 8&group_id=5706&atid=205706 > > The issue of the demo site password being changed, was that the > default usernames with default privileges were installed and > unchanged. > so anyone familiar with phphelpdesk would be able to guess it, and > comprise the phphelpdesk demo. That's the extent of it really. > > All and all the software is sound. > > To follow the information posted on the url above, click on > the "Browse" > link near the top of the page, that will bring you to the index of > posts for phphelpdesk. > > I hope this helps. > > > -k > Is there a solution, apart from deleting from the database directly by 'mysql'? And if not, if I delete from the table security, with the following, is there anything else left behind? mysql> delete from security where s_user='testuser'; Regards, Pim |
|
From: Andrew <ajw...@ro...> - 2001-11-28 02:35:36
|
Pim; Yes, you can delete from the security table, it won't cause problems (just be carefuly when doing any update or delete sql) ... You can also use sql to change passwords if needed (they are stored as plain text) The current version of the helpdesk does have a delete user option .. I don't remember which version this feature was added to, but it's been there quite a while. Andrew On Tuesday 20 November 2001 09:36, Pim van Stam wrote: > > -----Oorspronkelijk bericht----- > > Van: php...@li... > > [mailto:php...@li...]Namens Kevin M. > > Shortt > > Verzonden: dinsdag 20 november 2001 15:08 > > Aan: Pim van Stam > > CC: php...@li... > > Onderwerp: RE: [Phphelpdesk-help] A hole about helpdesk.. > > > > On Tue, 20 Nov 2001, Pim van Stam wrote: > > > I rather like to know what the leak exactly is and how to solve it. > > > Is it possible for anyone to tell? > > > > I posted last week about one issue I discovered. > > If the issue is known about, and all default usernames/passwords > > are cleaned up properly, then I really isn't any way a user > > could get the access. > > > > The issue I discovered can be read in detail at: > > http://sourceforge.net/tracker/index.php?func=detail&aid=48167 > > 8&group_id=5706&atid=205706 > > > > The issue of the demo site password being changed, was that the > > default usernames with default privileges were installed and > > unchanged. > > so anyone familiar with phphelpdesk would be able to guess it, and > > comprise the phphelpdesk demo. That's the extent of it really. > > > > All and all the software is sound. > > > > To follow the information posted on the url above, click on > > the "Browse" > > link near the top of the page, that will bring you to the index of > > posts for phphelpdesk. > > > > I hope this helps. > > > > > > -k > > Is there a solution, apart from deleting from the database directly by > 'mysql'? > And if not, if I delete from the table security, with the following, is > there anything else left behind? > > mysql> delete from security where s_user='testuser'; > > > Regards, Pim > > > > > _______________________________________________ > Phphelpdesk-help mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phphelpdesk-help |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X