[Phpslash-devel] the god/password issue
Brought to you by:
joestewart,
nhruby
Menu
▾
▴
[Phpslash-devel] the god/password issue
|
From: tobozo <to...@ma...> - 2004-10-06 20:32:45
|
Hi everyone I just typed the word 'slashSess' in google to see how many results it returned, then found some modified versions of phpslash, some are 0.7 based some are hybrid, and a few are 0.8, most of them have upload enabled. Looking at those different mutations, I tried to access the login page on a few sites I got from the google search results, using the well known god/password access. On most phpslash sites I got surprised by the fact God account it was NOT disabled and password NOT changed... Because people stop to RTFM as soon as the phpSlash is up and running, they miss the advice that tells them to delete the account, then it becomes easy to get in any version (0.7x, 0.8x) by just collecting URL's from google and give it a try. Possible solution to fix this problem would be one of those : - change the default admin username/pass before the next release of phpSlash, and so on every next release - generate default admin/username during the setup.php process using random chars - prompt user for renaming 'god' and changing pass once setup is complete Eventually add some helpers to the login/session core : - display a warning on every page until one of the previous possible solutions is applied (eg. phpMyAdmin displays a red warning when connected to a database with blank password) - add password strenght tests and notification for all users (existing, add, update) be well tobozo |
