Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#35139] - [4] Remove default secret

? ? Pending

User tests: Successful: Unsuccessful:

avatar PhilETaylor
PhilETaylor
15 Aug 2021

Code review

Security 101: Do not provide guessable defaults for secrets or credentials because users cannot be trusted to change default credentials and secrets.

Also can be used to fingerprint/google dork.

avatar PhilETaylor PhilETaylor - open - 15 Aug 2021
avatar PhilETaylor PhilETaylor - change - 15 Aug 2021
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 15 Aug 2021
Category Installation
avatar PhilETaylor PhilETaylor - change - 15 Aug 2021
The description was changed
avatar PhilETaylor PhilETaylor - edited - 15 Aug 2021
avatar brianteeman
brianteeman - comment - 15 Aug 2021

You really cant fix stupid. There are only 88 instances on github and they also include server passwords and usernames which is far more serious for them than the secret.

Some people deserve to be hacked

avatar PhilETaylor
PhilETaylor - comment - 15 Aug 2021

regardless of the actual number or the stupidness of people... not providing defaults for otherwise secure credentials is security 101.

avatar RickR2H RickR2H - test_item - 17 Aug 2021 - Tested successfully
avatar RickR2H
RickR2H - comment - 17 Aug 2021

I have tested this item successfully on 141ea36

The secret is generated on install, so IMHO the default can be removed.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35139.

avatar Quy Quy - test_item - 23 Aug 2021 - Tested successfully
avatar Quy
Quy - comment - 23 Aug 2021

I have tested this item successfully on 141ea36

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35139.

avatar Quy Quy - change - 23 Aug 2021
Status Pending Ready to Commit
avatar Quy
Quy - comment - 23 Aug 2021

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35139.

avatar bembelimen
bembelimen - comment - 26 Aug 2021

So what happens if a user uses this file and forgots to add a secret? Does any place in Joomla! crashes, because there is no secret?

Additional probably we should extend the comment to help the user to define a secret (16 characters, uppercase, lowercase alphanumeric, ...)

avatar PhilETaylor
PhilETaylor - comment - 26 Aug 2021

So what happens if a user uses this file and forgots to add a secret? Does any place in Joomla! crashes, because there is no secret?

Joomla runs as normal. Joomla does not validate the secret, and does not care that there is not one defined.

Additional probably we should extend the comment to help the user to define a secret (16 characters, uppercase, lowercase alphanumeric, ...)

No we absolutely should not. This goes against all security best practice in 2021, the same way it is now around upon to provide and enforce password policies other than length. As Joomla can accept a empty string as a secret (rightly or wrongly) any artificial complexity rules are simply wrong.

avatar PhilETaylor PhilETaylor - change - 9 Sep 2021
Labels Added: ? ?
avatar wilsonge wilsonge - change - 9 Sep 2021
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2021-09-09 17:15:11
Closed_By wilsonge
avatar wilsonge wilsonge - close - 9 Sep 2021
avatar wilsonge wilsonge - merge - 9 Sep 2021
avatar wilsonge
wilsonge - comment - 9 Sep 2021

Thanks!

Add a Comment

Login with GitHub to post a comment