You are viewing the PKP Support Forum | PKP Home Wiki

admin/systemInfo page security issue

Are you responsible for making OCS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, michael, John

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.

admin/systemInfo page security issue

Postby libsupport » Mon Apr 29, 2013 11:47 pm

Hello everyone,

The Site Administration -> System Information page (found in admin/systemInfo) contains -amongst other useful things- the database username and password.
This is very 'sensitive' information and thus should either be encrypted by default (much like the login page) OR if no mod_ssl is present/configured, it should be stripped away during parsing of config.inc.php and never displayed in that unencrypted page.

I believe the same applies to OJS as well.

If you share with my concerns, please release a patch (and include it in the next OCS release). I always get anxious when I have to click that link :)

Best regards,
Theodoropoulos Theodoros
Posts: 7
Joined: Fri Jan 07, 2011 3:44 am

Return to OCS Technical Support

Who is online

Users browsing this forum: No registered users and 3 guests