big security flaw in b2
i had installation problems a few moments ago and i realised that b2install.php is on my monkey.dayzero directory. this can be a great security flaw because it simply overruns all existing settings and posts and makes a new copy of b2. this also means that all accounts are wiped out and the admin user and pass becomes the default.
this is worrying. for those of you who're using b2, please DELETE b2install.php from your ftp server after installation. if you can't remember your password you can upload it back and do a clean reinstallation, or request michel to do this password sending thing. thank you.
alternatively, you can chmod the install.php file to something else (like 755) or request yet another feature on b2: for the install.php file to auto delete itself after installing.
i would request this to be reflected in the b2 readme.
@ 17:40:25 069
, no trackback
, no pingback
No Comment on this post so far.