On Thu, 17 Apr 2008, [EMAIL PROTECTED] wrote:
Someone set a new password for editing the web site. It's documented in
Speaking of passwords. Whoever that changed the password for
http://www.lyx.org
forgot to change it for
http://www.lyx.org/test/wiki/index.php
which left a security hole since they use the same wiki page store.
I've now rearranged it so that the wiki password is set in the farm
configuration file and made a not of where it is set in the file:
/home/lyx/www/pmwiki/passwords.txt
In addition, the new password was left openly in the configuration
scripts. This is a bad idea, and the proper way is to do e.g.
http://www.lyx.org/AboutLyX?action=crypt
where you'll get a form where you can enter the password and get an
encrypted string back. If you're paranoid, you'll do this locally since
data goes unencrypted over the network. The previous link might only work
if you're logged in though.
/Christian
--
Christian Ridderström, +46-8-768 39 44 http://www.md.kth.se/~chr
