OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



admin/systemInfo page security issue

Are you responsible for making OCS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, michael, John

Forum rules
What to do if you have a technical problem with OCS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved. Please note that this FAQ is OJS-centric, but most issues are applicable to both platforms.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OCS Conference Support and Discussion subforum; if you have a development question, try the OCS Development subforum.

admin/systemInfo page security issue

Postby libsupport » Mon Apr 29, 2013 11:47 pm

Hello everyone,

The Site Administration -> System Information page (found in admin/systemInfo) contains -amongst other useful things- the database username and password.
This is very 'sensitive' information and thus should either be encrypted by default (much like the login page) OR if no mod_ssl is present/configured, it should be stripped away during parsing of config.inc.php and never displayed in that unencrypted page.

I believe the same applies to OJS as well.

If you share with my concerns, please release a patch (and include it in the next OCS release). I always get anxious when I have to click that link :)

Best regards,
Theodoropoulos Theodoros
libsupport
 
Posts: 7
Joined: Fri Jan 07, 2011 3:44 am

Return to OCS Technical Support

Who is online

Users browsing this forum: No registered users and 1 guest