[documentation] Fwd: [support] www.mysite.net security hole for mysite.net?

[Bèr Kessels]

This is rather serious. 

We don't say clearly in our installation docs that the default config remains 
active. And because a site w/o users can be compromised in seconds (first 
registration == SuperUser) this needs to be stressed IMO.

Bèr

----------  Doorgestuurd bericht  ----------

Subject: [support] www.mysite.net security hole for mysite.net?
Date: zaterdag 10 juni 2006 18:16
From: "dondi_2006" <dondi_2006 at libero.it>
To: "support" <support at drupal.org>

Hello,

please help me, this is serious.

some days ago I started to build a new website with Drupal 4.7.2 on Linux
+ Apache.

I configured everything ( DNS, Apache, Drupal...) to work ONLY when
connecting to http://mysite.net. Or so I believed.

ten minutes ago I decided to continue building my website. Without thinking,
I typed in the browser www.mysite.net and got the drupal page (with default
theme) saying, more or less, "hello, this is the first connection, so this
account will be administrator with password ..... Please configure"

If I click on configure, I go to the administration page and can screw the
website without entering a password!

At the same time, if I type in the browser http://mysite.net I get to the
website I configured (theme, etc...) and I _have_ to log in to change things.

What is this? An error of mine, a Drupal/apache bug, both? How can I
set things so that www.mysite.net goes to mysite.net, without believing
that is a first visit, and that anybody can hack the site?

TIA,
O.

--
[ Drupal support list | http://lists.drupal.org/ ]

-------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/documentation/attachments/20060611/a4aed54d/attachment.pgp