[BlueOnyx:05461] Re: Dealing with /admin URL 'hijacking

[James Darbyshire]

I disagree. Certainly it is not best practise for any admin functions to be
accessible through a generic /admin url, but I would rather someone was
trying to attack my CMS than my Server admin panel, where they have much
higher security privileges than in my CMS.

Worst case they graffiti my pages and I have to restore to a backup.

If they get into my BO admin area they can royally screw with my server, and
it possibly would not be as obvious/easy to detect.

Regardless, it's no big deal.you just have to remember to change your BO
settings when the config gets overwritten.

Regards,

James Darbyshire

Sent from my Samsung Droid™

On 25/09/2010 11:54 PM, "Abdul Rashid Abdullah" <webmaster at muntada.com>
wrote:

Stephanie hit the nose on the target.  I would prefer to modify the CMS
rather than BlueOnyx.  When you migrate to a new system, you will deal with
the issue all over again.  It is best to change it upfront.

PLUS I am not sure who said something about BlueOnyx security and they
deleted it for that reason but I would say that it is FAR better to rename
the admin of a CMS as there is by far a higher likelihood of an exploit on
the CMS than on BlueOnyx coming into play.  Zen Cart as an example EXPLICTLY
encourages all of the users to rename to something unique and specifically
warns you if I am remembering correctly if you don't do it.  It is one of
their counter measures for not getting hacked.

Regards,

Rashid



On 9/24/10 7:08 AM, "Stephanie Sullivan" <ses at aviaweb.com> wrote:

> Jeff,
>
> I've yet to meet a...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100926/c08ebc95/attachment.html>