walt93
commented
1 year ago "Factory" installs usually also use a highly insecure username/password combination. When I asked Daniel, I was told the philosophy is "attacker is already behind the gate" as the SQL database is not accessible via internet. If they own your box and are reading your logs, perhaps there are other more pressing security concerns that need be addressed?
stale[bot]
Describe the bug The admin pass and mysql password can be found in multiple log files without permission protection.
To Reproduce Steps to reproduce the behavior: During installation, the information can be found in somewhere like /var/log/httpd/ssl_error_log The sql password can be found in /var/www/AVideo/videos/configuration.php
Expected behavior Those files shall not be globally readable, or the installation scripts itself shall apply the appropriate permission.
Additional context In the installation guide, it shall be emphasized that those sensitive files shall be made read only only to the apache user, and not globally visible by others.