Closed selloween closed 5 years ago
selloween
commented
5 years ago TL:DR If I know only the admin username and email address. I can be the admin. Having only username and email address of registered user gives me access. Trying first and last name combinations and presuming the domain being used for email addresses, makes it relatively easy guessing possible user accounts and changing their passwords.
lnicola
commented
5 years ago I would personally advise against making an installation publicly available to external users, like over the internet.
lnicola
commented
5 years ago But if you want to do that, you should change the default password, use a reverse proxy to make the web interface accessible, and maybe configure rate limiting to prevent brute force guessing of the passwords.
We don't really expect installations to have a large amount of users. Most of them only have one, I would guess.
selloween
commented
5 years ago Thx for the quick reply. Reverse proxy and maybe adding basic authentication on top as another security layer would be a quick fix for my usecase.
Having the functionality of setting or changing your user password publicly (via the "First login" prompt) seems to me very risky from a security point of view. You can easily access instances using the default admin user (provided not removed) giving one the ability to change the password knowing only a username and email. A quick github search provides the default admin credentials in the source code. Is this designed to be publicly exposed ?