tobozo
2004-10-06 18:48:04 UTC
Hi everyone
I just typed the word 'slashSess' in google to see how many results it
returned, then found some modified versions of phpslash, some are 0.7
based some are hybrid, and a few are 0.8, most of them have upload enabled.
Looking at those different mutations, I tried to access the login page
on a few sites I got from the google search results, using the well
known god/password access.
On most phpslash sites I got surprised by the fact God account it was
NOT disabled and password NOT changed...
Because people stop to RTFM as soon as the phpSlash is up and running,
they miss the advice that tells them to delete the account, then it
becomes easy to get in any version (0.7x, 0.8x) by just collecting URL's
from google and give it a try.
Possible solution to fix this problem would be one of those :
- change the default admin username/pass before the next release of
phpSlash, and so on every next release
- generate default admin/username during the setup.php process using
random chars
- prompt user for renaming 'god' and changing pass once setup is complete
Eventually add some helpers to the login/session core :
- display a warning on every page until one of the previous possible
solutions is applied (eg. phpMyAdmin displays a red warning when
connected to a database with blank password)
- add password strenght tests and notification for all users (existing,
add, update)
be well
tobozo
I just typed the word 'slashSess' in google to see how many results it
returned, then found some modified versions of phpslash, some are 0.7
based some are hybrid, and a few are 0.8, most of them have upload enabled.
Looking at those different mutations, I tried to access the login page
on a few sites I got from the google search results, using the well
known god/password access.
On most phpslash sites I got surprised by the fact God account it was
NOT disabled and password NOT changed...
Because people stop to RTFM as soon as the phpSlash is up and running,
they miss the advice that tells them to delete the account, then it
becomes easy to get in any version (0.7x, 0.8x) by just collecting URL's
from google and give it a try.
Possible solution to fix this problem would be one of those :
- change the default admin username/pass before the next release of
phpSlash, and so on every next release
- generate default admin/username during the setup.php process using
random chars
- prompt user for renaming 'god' and changing pass once setup is complete
Eventually add some helpers to the login/session core :
- display a warning on every page until one of the previous possible
solutions is applied (eg. phpMyAdmin displays a red warning when
connected to a database with blank password)
- add password strenght tests and notification for all users (existing,
add, update)
be well
tobozo