Page 1 of 1

Changing admin PW?

PostPosted: 2:55pm, Tue 06 May, 2014
by adoni
OK

is there any real reason to do line 6 of the security readme file

6. Change the admin password as soon as you have installed phpList.


in config you give a pw for the script

sure it's not encrypted and readable in plain text

but if you put the config file into a directory with proper .htaccess

no one can hook the config.php file from admin right?

or is there vulnerabilities around that allow people to get the config.php info even from a properly secured .htaccess file that should deny all reading of files except index in admin?

most scripts come with a general pw all users use, to setup the script then you change the pw after the script is on the server

this script has the user set a pw in plain text in config

ok, so what is the issue?

that it was set in config.php in plain text and are the developers someone exploiting the config.php file to be readable?

well .htaccess should stop that right?

or are there security vulnerabilities in the script?

or are they afraid a sniffer may have been between the uploader and his server so any plaint text pw's are wide open in FTP usually

do you know the reasoning for this change admin PW even though you set it already in config.php

seems if they're worried about something, then maybe they should do like most scripts, use the same user and pw to upload and then after first session change out the pw

right now you set it in config.php

then you change it again in the script?

seems a little strange, so if you know the security logic as to this advice

I'd like to know

thanks

Re: Changing admin PW?

PostPosted: 6:00pm, Tue 06 May, 2014
by Dragonrider
The reason that it is suggested (strongly recommended) to change the default password is simply that it defaults to admin and phplist. Anyone downloading phpList can see this when the start it up.

So, initially, anyone can access your phpList admin pages, so change your default password.

I also like to change the logon from admin to a more relevant login, but that's done via myphpAdmin.

Re: Changing admin PW?

PostPosted: 8:24am, Wed 07 May, 2014
by duncanc
Unfortunately most of those readme files are out of date. The security readme is more than 10 years old.
phplist now does not have a default password, you need to enter a password during the installation process.

The config file holds the credentials for the mysql database, the bounce email address and if used the SMTP server. By default, using .htaccess, the config.php file is not accessible through the web server.

Re: Changing admin PW?

PostPosted: 2:47am, Mon 12 May, 2014
by williamrouse
I need help. I installed phpList and all went well. When I go back to the link:
mydomain/lists/admin the login procedure does not work, or should I say I don't know what to enter.
The default credentials admin/phplist does not work.
The credentials that I entered during the install does not work.
The database credential in the config.php file does not work

What credentials should I use to reenter the Dashboard?

Re: Changing admin PW?

PostPosted: 5:30am, Mon 12 May, 2014
by williamrouse
I am not sure what I did right but now I can log in so my last post is resolved.