[BlueOnyx:05464] Re: Dealing with /admin URL 'hijacking

Abdul Rashid Abdullah webmaster at muntada.com
Sat Sep 25 09:56:37 -05 2010 

I agree on your first point that some obscurity of the login url is helpful,
but having said that, my stance came from the viewpoint that the all CMS are
generally less secure than the BlueOnyx authentication mechanism, especially
if one keeps their passwords rather complex and change them frequently.

Regards,

Abdul Rashid


On 9/25/10 7:29 AM, "James Darbyshire" <jamesdarbyshire at gmail.com> wrote:

> I disagree. Certainly it is not best practise for any admin functions to be
> accessible through a generic /admin url, but I would rather someone was trying
> to attack my CMS than my Server admin panel, where they have much higher
> security privileges than in my CMS.
> 
> Worst case they graffiti my pages and I have to restore to a backup.
> 
> If they get into my BO admin area they can royally screw with my server, and
> it possibly would not be as obvious/easy to detect.
> 
> Regardless, it's no big deal.you just have to remember to change your BO
> settings when the config gets overwritten.
> 
> Regards,
> 
> James Darbyshire
> 
> Sent from my Samsung Droid
> 
>> On 25/09/2010 11:54 PM, "Abdul Rashid Abdullah" <webmaster at muntada.com>
>> wrote:
>> 
>> Stephanie hit the nose on the target.  I would prefer to modify the CMS
>> rather than BlueOnyx.  When you migrate to a new system, you will deal with
>> the issue all over again.  It is best to change it upfront.
>> 
>> PLUS I am not sure who said something about BlueOnyx security and they
>> deleted it for that reason but I would say that it is FAR better to rename
>> the admin of a CMS as there is by far a higher likelihood of an exploit on
>> the CMS than on BlueOnyx coming into play.  Zen Cart as an example EXPLICTLY
>> encourages all of the users to rename to something unique and specifically
>> warns you if I am remembering correctly if you don't do it.  It is one of
>> their counter measures for not getting hacked.
>> 
>> Regards,
>> 
>> Rashid
>> 
>> 
>> 
>> On 9/24/10 7:08 AM, "Stephanie Sullivan" <ses at aviaweb.com> wrote:
>> 
>>> > Jeff,
>>> > 
>>> > I've yet to meet a...
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100925/f9494755/attachment.html>

More information about the Blueonyx mailing list