Security hole
Francesco Terenzani
Nice project!
But actually everyone can create an (administrator) account just
running the install.php file and sending the form :P
drs.P.
but not harmfull by mentioning it in the readme.txt
On Sep 4, 12:26 pm, "Francesco Terenzani" <f.terenz...@gmail.com>
wrote:
Francesco Terenzani
>
> Well it's rather normal to remove this file afrer installing I think,
mmm... I think is not rather normal for users :-)
> but not harmfull by mentioning it in the readme.txt
I think would be helpful ;-)
Victor Bracco
computer if you left placed the CD of Windows...
In the next release may have a better control of that.
Regards,
2007/9/4, Francesco Terenzani <f.ter...@gmail.com>:
--
Victor Bracco
http://www.vbracco.com.ar
Francesco Terenzani
Sorry, I don't speak English very well, I hope to be understandable...
1) Running the install.php you don't reinstall the tumblelog, but you
can create a new account
2) Taking a look to Gelato's users
(http://www.google.it/search?q=%22powered+by+gelato+cms%22), to delete
the install.php doesn't seems so "rather normal"
3) Delete that file isn't rather normal also because much of the
Gelato's user are also Wordpress user, and think the follow code on
Wordpress install.php is useful just for this purpose (don't delete
any):
if ( is_blog_installed() ) die('<h1>'.__('Already
Installed').'</h1><p>'.__('You appear to have already installed
WordPress. To reinstall please clear your old database tables
first.').'</p></body></html>');
2007/9/4, Victor Bracco <vbr...@gmail.com>:
pecesama
Now is on the list for the next release :)
On Sep 4, 9:58 am, "Francesco Terenzani" <f.terenz...@gmail.com>
wrote:
> He-he, fanny response, Victor :D
>
> Sorry, I don't speak English very well, I hope to be understandable...
>
> 1) Running the install.php you don't reinstall the tumblelog, but you
> can create a new account
> 2) Taking a look to Gelato's users
> (http://www.google.it/search?q=%22powered+by+gelato+cms%22), to delete
> the install.php doesn't seems so "rather normal"
> 3) Delete that file isn't rather normal also because much of the
> Gelato's user are also Wordpress user, and think the follow code on
> Wordpress install.php is useful just for this purpose (don't delete
> any):
>
> if ( is_blog_installed() ) die('<h1>'.__('Already
> Installed').'</h1><p>'.__('You appear to have already installed
> WordPress. To reinstall please clear your old database tables
> first.').'</p></body></html>');
>
> 2007/9/4, Victor Bracco <vbra...@gmail.com>:
drs.P.
Well you might be right but a search on admind.php andso-on wil give
also many
hits I always wondered why so many online tools use these terms also
the login.php .
As a matter of fact it isn''t security issue in gelato more caution
should be used with cofnfig.php's they contain often
unscrambled information.
On Sep 4, 4:58 pm, "Francesco Terenzani" <f.terenz...@gmail.com>
wrote:
> He-he, fanny response, Victor :D
>
> Sorry, I don't speak English very well, I hope to be understandable...
>
> 1) Running the install.php you don't reinstall the tumblelog, but you
> can create a new account
> 2) Taking a look to Gelato's users
> (http://www.google.it/search?q=%22powered+by+gelato+cms%22), to delete
> the install.php doesn't seems so "rather normal"
> 3) Delete that file isn't rather normal also because much of the
> Gelato's user are also Wordpress user, and think the follow code on
> Wordpress install.php is useful just for this purpose (don't delete
> any):
>
> if ( is_blog_installed() ) die('<h1>'.__('Already
> Installed').'</h1><p>'.__('You appear to have already installed
> WordPress. To reinstall please clear your old database tables
> first.').'</p></body></html>');
>
> 2007/9/4, Victor Bracco <vbra...@gmail.com>:
>
>
>
>
>
> > For example, somebody could create an account administrator in your
> > computer if you left placed the CD of Windows...
>
> > In the next release may have a better control of that.
>
> > Regards,- Hide quoted text -
>
> - Show quoted text -