Re: another topic: insecure default installations

To: debian-webapps@lists.debian.org
Subject: Re: another topic: insecure default installations
From: "r@tchet" <jmbrown@iwas2.com>
Date: Wed, 4 May 2005 12:39:30 -0400 (EDT)
Message-id: <[🔎] 4728.206.27.8.66.1115224770.squirrel@mail.johnmarkbrown.com>
In-reply-to: <[🔎] 20050504162742.GA21589@seanius.net>
References: <[🔎] 20050504162742.GA21589@seanius.net>

Good suggestion, but should also include an easy way for the admin to
reset the password in a uniform manner...I can't count the number of times
when someone has come to me asking me how to reset a password that they
entered without thinking during the install of an app.




> a lot of applications have dubious default installations, where one
> can login with a default username/password, or otherwise gain
> control of the application without requiring credentials.
>
> i think it would be wise to address this in the policy draft.
>
> specifically, i think web apps should be required to not have a default
> login (default to debian or the application), and if it is not possible
> to prevent this, the application should not be accessible by default, or
> at the very least the admin should be warned of this and given the
> option to abort the install.
>
> how this would pan out in a real world situation would not be very
> generalizable, but again hooks/infrastructure could probably be put
> in place to support this.
>
> thoughts?
>
>
> 	sean
>
> --
>

Reply to:

References:
- another topic: insecure default installations
  - From: sean finney <seanius@debian.org>

Prev by Date: another topic: insecure default installations
Next by Date: Re: templates, static documents, and plugins
Previous by thread: another topic: insecure default installations
Next by thread: webapps-common alioth project
Index(es):
- Date
- Thread