search

viviotech / lucee-installer

BitRock Installer XML config and files for the Lucee installers
http://lucee.viviotech.net/
9 stars 2 forks source link

Increase security of new web admins by default #89

Closed utdream closed 6 years ago

utdream commented 6 years ago

As requested.

gfranz commented 6 years ago

Hey Jordan, I presume you are storing the password in the lucee-web.xml.cfm for the default web context. But you can easily set the default password for the Lucee Admins by setting the default password in the lucee-server.xml file as you already are doing now with the server admin password. the key is like this:

<cfLuceeConfiguration default-hspw="8578ec8db22c6c29a8e7f7639cc89e69cae791da6eace56ab280904022c95bdc" hspw="8578ec8db22c6c29a8e7f7639cc89e69cae791da6eace56ab280904022c95bdc" salt="DE38ADDB-D917-4CA7-80951EB505C84E77" version="4.5" >

The key is called default-hspw.

utdream commented 6 years ago

Hey Gert,

Working on this for the 5.2.5.020 builds, and it occurs to me that this might be best if implemented in Lucee core rather than the installers. The installers implement the bundled JAR, which, when run for the first time, creates the lucee-server directory along with the default configs. The installer then performs an HTTP POST to the admin URL's (default server and default web) in order to add the password to them. If the default functionality for Lucee Core was to use the "default server" admin password for all web contexts, wouldn't that make Lucee Core more secure by default?

In order to implement this in the installers, I'm going to need to edit the XML file that Lucee creates post-installation. I've been doing post-install edits using Shell Scripts on Linux and Bash Scripts on Windows, but editing XML is a pain with both of those. I'm currently of a mind to use a Java JAR or something to edit the file, but thinking about writing something in Java made me think this might be better if it was part of Lucee Core. Does that make sense? My apologies for not thinking this through earlier.

Please let me know your thoughts.

utdream commented 6 years ago

ping @gfranz (not sure if you'll get notified on a response that doesn't mention your handle...?)

utdream commented 6 years ago

Just found some methods in InstallBuilder which might actually make this really easy...

read value from xml file set value in xml file

https://installbuilder.bitrock.com/docs/installbuilder-userguide/ar01s08.html

utdream commented 6 years ago

Okay, so after futzing with this off and on all day, this is working using the built-in Installer methods for reading and writing to XML files. That was nice of them to include those methods. I never knew they were even there. ;)

utdream commented 6 years ago

Implemented in Lucee 5.2.5.020 pl0 builds.