-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthorized access leads to leakage of sensitive information #568
Comments
Hello, if I remember correctly, there was a way to put a HTTP basic authentication while logging into app. But it's been quite a while and this project is no longer being actively managed due to lack of support from officials although having community support. If I recall correctly there must be an environment variable that you must set to enable HTTP basic authentication, you might find it from code, I'll try to check on spare time and will comment |
If it is not turned on by default, assets on the public network will pose a risk of leakage. Hopefully adding action statements is less risky. |
With these environment variables you can enable HTTP basic authentication @mastersir-lab |
In this way, the system has security problems, which lead to sensitive information leakage under the default configuration. |
@mastersir-lab what you said is akin to 'Using your Instagram account without 2FA leads to risks like sensitive information leakage under the default configuration with hacking possibility.' False usages are not security problems. Those are end user problems. A lot of systems default usernames and passwords are admin, admin. |
Introduce
There is no need to log in to the system, you can operate the database connection, and you can view the database account and password information in connection setting interface.
The steps to reproduce.
1、You can operate without logging in to the system.Visit the system home page.
2、Click the Connect function to open the connection database configuration interface.
3、Edit the configuration and view the configuration information. There is a database account and password.
4、The database connection information of the configuration interface can be accessed and the database can be operated.
The text was updated successfully, but these errors were encountered: