[Typo3-dev] Problem with the Install Tool password

[Michael Stucki]

Hi all,

I sent this yesterday to Kasper. He asked me if I can post this here, so
please add your comments...

This was my mail:
--- snip ---
I know you've just introduced a feature freeze but since I'd say this is
about security I hope you still look at this issue:

When creating and testing the packages, I was walking through the 1-2-3 
Install Tool. Works great, yeah!

However now that I want to visit it again I am getting asked for a password. 
Since I am an absolute beginner, I have never seen this before! What is it?

And that's the point! People have their running site while they have never 
seen the stuff about the install tool password. Now let's excpect that they 
also didn't fill in the famous die() command again, then I'm almost sure
that we'll have loads of installations with the default password (joh316)
for their install tool.

I suggest you force them to change it.
--- snap ---

This was Kaspers reply:
--- snip ---
I see.

It's not urgent security but certainly we should think about this.

First of all we need to come up with a solution where this check should
be. It will be very easy to check if the default password is "joh316" of
course but exactly how should people be warned?

Maybe, lets say an "admin" user logs into the backend. When the frameset
"alt_main.php" loads it checks if the password is "joh316". If so, a
JavaScript "alert()" pops up and tells him, "please go to the install
tool and change the password!". He will not get rid of this until the
password is different - and sooner or later he WILL get tired of it.

That would be an easy fix!
--- snap ---

What do you think about it? Any other ideas?

Cheers - michael
-- 
Want support? Please read the list rules first: http://typo3.org/1438.0.html