[pmwiki-users] NewsMaster

kirpi at kirpi.it kirpi at kirpi.it
Sun May 18 23:32:01 CDT 2008

> I did not know what the password is for user 'admin'.
> It seems not to be the one one can set in news/config.php
> (as shipped:
> $uname[1] = "admin";
> $upass[1] = "advin";
> )
> I could not log in with this pair.
> But then I discovered I could register as a
> new News Master! And after registering I could log in.
> So this does not seem to be secure either.
> What am I missing?

> The micro_login_system allows a new user to register creating a new
> user name and encrypted password.
> I think this needs to be disabled. There should be no register
> link, and the registerUser function in common.php should be disabled.
> Still this leaves a little problem adding new NewsMasters: username
> and md5 encrypted password needs to be added to userpwd.txt.

You're not missing anything, Hans: the original (news/config.php) is
still there but I (partially) disabled it.
In an attempt to provide a more secure login script, I tried and plug
in that micro_login_system which comes with the register function on.
Also, I kept the register function available, so that anybody (like
you) could register and visit the admin side of Newsmaster at my own
site install.

Please bear in mind that I am not (read: not) a programmer and
understand next to nothing (read: really nothing) about all that
javascript/php/unix/css/.. things.
So, before completely disable anything, I temporarily comment it out:
here is why at the moment two login systems seem to coexist.

As far as I can tell some steps could now be:

1 - understand if all I did till now is safe
2 - if so, disable the old news/config.php login system
3 - find a way to make the register function only available by already
registered users, so that an admin can enable more admins, but nobody
from the outer world can.
4 - Understand if that
http://www.kirpi.it/news/micro_login_system/userpwd file is safe the
way it is and/or it should be better to hide it. At the very least I
thought it would be a step ahead to change its name to something more
exotic (like y5l4cxw2) in order not to attract malicious people's
5 - re-enable the Log. You do not see the link in my install, but
there is also a Login-Log. I broke it as it took data fron the old
access system: I have to feed data from the new access system now. The
file is in data/access_log and the function that writes to it is in
the admin.php file. I just commented the menu link that shows it, for
the moment.

All that I'll try and solve soon.
Any more thoughts?


More information about the pmwiki-users mailing list