Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Stop allowing unauthenticated people set default passwords for web admins

Description

This is a bad security default to allow the first person on the Internet who happens across a server to set the password and doesn't fall under "secure by default". Install Jenkins to see how they handle it. They write a random GUID out ot a file on the server's hard drive and then challenge the un-authenticated web user to go open that file and paste the GUID into a form field before allowing them to create the first username/pass for the site. Of course, there is also an easy way to setup the default login from inside the server too if you just want to bypass the admin. (this is important for cloud deployments where the admin might not even get deployed).

Secondly, do not allow a web context to get a password set either. The server admin must create a default web context password or set one manually.

Basically, there needs to be no way that a hacker can set a password for a newly-installed Lucee server.

Attachments

4
  • 29 Aug 2019, 01:28 pm
  • 29 Aug 2019, 11:43 am
  • 28 Aug 2019, 12:03 pm
  • 28 Aug 2019, 12:03 pm

Activity

Show:

Zac Spitzer 12 February 2020 at 00:03

please file a new issue and link it to this one

Denard Springle 11 February 2020 at 23:20

Per https://dev.lucee.org/t/new-password-txt-requirement/6606

I think a better implementation of this would be to have Lucee:

  • Randomly generate a password and write it to password.txt

  • Require that password to login the first time (forcing the user to prove ownership by reading a file from the file system)

  • Delete the password.txt file on first login

  • Require a password reset


I feel this is a much more user friendly way to handle this if the password has not already been set than forcing the creation of a password file by the user and then an import step.

Michael Offner 29 August 2019 at 13:28

i adapted your changes with some changes, i agree with the full path, also felt wrong to me.

Michael Offner 29 August 2019 at 13:08

Zac Spitzer 29 August 2019 at 12:06

there’s a typo For security reasons it is no longer possible to set the inital password here.

I don’t really like exposing the full Lucee installation path to end users, if you installed Lucee, you know where it was installed

using a html list would make this clearer to follow

Rather than just reload, how about “Import Admin Password file”

You will need to configure a password before you can access the Administrator.

  1. Please create a file with name <b>password.txt</b>containing your new password under the root Lucee server directory.

  2. Click Import Password file, Lucee will read and configure your new password, afterwards Lucee will automatically delete that file

or something like that?

Fixed

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Fix versions

Priority

Created 14 July 2016 at 16:33
Updated 10 April 2021 at 13:10
Resolved 29 August 2019 at 06:33