[mapguide-users] RE: MG Security question

Homan, Thomas thoman at co.gila.az.us
Wed Aug 26 18:13:49 EDT 2009


Thanks for the response Bruce.
 
Changing the admin password was the first thing I did and that brought
about my noticing that serveradminhelper was failing and yes I would
completely agree a dialog is warranted. I am mostly fishing for any
other known security defencies without a complete code review.
 
Tom

________________________________

From: mapguide-users-bounces at lists.osgeo.org
[mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Bruce
Dechant
Sent: Wednesday, August 26, 2009 2:58 PM
To: MapGuide Users Mail List
Subject: [mapguide-users] RE: MG Security question



Tom,

 

I don't know of any document describing the security of MGOS.

 

In regards to your concern over serveradminhelper it is hard coded to
use the default administrator user name and password - so credentials
are still required just no dialog. If you plan on using MGOS or any
other system that uses logon credentials it is always recommended that
you change the default administrator credentials. However, I do think
that the serveradminhelper pages need to be updated so that credentials
are asked in a dialog instead of being hard coded.

 

Thanks,

Bruce

 

From: mapguide-users-bounces at lists.osgeo.org
[mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Homan,
Thomas
Sent: Wednesday, August 26, 2009 11:23 AM
To: mapguide-users at lists.osgeo.org
Subject: [mapguide-users] MG Security question

 

Hello, 

Does there happen to be a doc/wiki relating to security on MGOS? 

I'm hoping to find something that details the obvious security holes
like where the 'serveradminhelper.(php/aspx/jsp) is called from
mapagent/index.html ---> Server Admin and allows someone to take the MG
server offline without having to enter any credentials. By default
install that tidbit is exposed to the public for their entertainment. 

I'd like to know any of the other suprises that I don't yet know about
as well. 

Thanks in advance 

Tom 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapguide-users/attachments/20090826/6b1a9917/attachment.html


More information about the mapguide-users mailing list