[wplug-plan] Re: [Wplug-web] unstable -> stable?
Evan DiBiase
evand at wplug.org
Sat Jun 23 15:19:14 EDT 2001
On Sat, 23 Jun 2001, Zach Paine wrote:
>
> On Sat, 23 Jun 2001 12:21:31 Robert Dale wrote:
> > This was discussed back in April.. I don't know why you guys didn't push
> > it then.
> >
> > In April is was proposed to push it, I question the security, zman
> > responded and no one opposed his actions. Here is the last email wrt
> > 'unstable':
> > http://www.wplug.org/pipermail/wplug-web/2001-April/000235.html
>
> Laziness :) Evan removed the user access feature, so that only an admin
> mode remains. So it's somewhat more secure. I don't think it should be a
> problem.
Indeed. The only security issue that I feel is even remotely valid at
this point is the fact that I personally generated the "check key" for
the admin account. Should someone have access to the source or guess the
20-character key, they'd be able to update the news and meeting
information. For those with access to the source, feel free to take a
look at wplug/log_in.php (where the check key is set) and line 56 of
wplug/lib/func.inc (where the check key is verified). If anyone can
think of a better/more secure way to do this, I'd be up for changing the
code a bit, but IMHO the system should suffice for now.
If we've already cleared the push, then, zman and I will move unstable
over to stable later tonight.
-Evan
More information about the Wplug-web
mailing list