Re: [Phpslash-devel] the god/password issue
Brought to you by:
joestewart,
nhruby
Menu
▾
▴
Re: [Phpslash-devel] the god/password issue
|
From: Joe S. <joe...@us...> - 2004-10-06 21:18:44
|
on 10/06/04 17:37 tobozo said the following: > Hi everyone > > I just typed the word 'slashSess' in google to see how many results it > returned, then found some modified versions of phpslash, some are 0.7 > based some are hybrid, and a few are 0.8, most of them have upload enabled. > Looking at those different mutations, I tried to access the login page > on a few sites I got from the google search results, using the well > known god/password access. > On most phpslash sites I got surprised by the fact God account it was > NOT disabled and password NOT changed... > > Because people stop to RTFM as soon as the phpSlash is up and running, > they miss the advice that tells them to delete the account, then it > becomes easy to get in any version (0.7x, 0.8x) by just collecting URL's > from google and give it a try. > good point. > Possible solution to fix this problem would be one of those : > - change the default admin username/pass before the next release of > phpSlash, and so on every next release > - generate default admin/username during the setup.php process using > random chars > - prompt user for renaming 'god' and changing pass once setup is complete > I had been thinking about the user entering their username and password in the install wizard and replacing the god/password user with it. Joe > Eventually add some helpers to the login/session core : > - display a warning on every page until one of the previous possible > solutions is applied (eg. phpMyAdmin displays a red warning when > connected to a database with blank password) These type of things are pretty simple to add now to add now. Look at these blocks brought from Back-End: http://cvs.sourceforge.net/viewcvs.py/phpslash/phpslash-dev/include/modules/admin/ They can be deleted at any time by the administrator too. later, Joe > - add password strenght tests and notification for all users (existing, > add, update) > > > be well > tobozo > > > ------------------------------------------------------- > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal > Use IT products in your business? Tell us what you think of them. Give us > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more > http://productguide.itmanagersjournal.com/guidepromo.tmpl > _______________________________________________ > Phpslash-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpslash-devel |
