Alternadiv
Well-known member
- Affected version
- 2.2
I'm not sure if there's any likeliness of this ever happening but I figured I would post it just as a precaution.
I was at the administrator account creation page of a fresh 2.2 install in my test forum environment. I made a mistake (thanks to iCloud) of using a "strong" password for the account thinking iCloud would remember it and I wouldn't have to.
iCloud did not remember the password when I moved to the next step and I said "well that sucks" and hit the back button to see if I could give the account a new password. I was not able to change the password from there because the account was already created so trying to change the password on this page gave an error of "the username already exists and must be unique".
Then I tried being clever and hit the back button again, so now I'm back at the administrator account creation page of the install process. I figured I'd try a new username and a new password, essentially creating a second super administrator account before I even finished the whole install process. To my surprise, it worked.
Again, I'm not entirely sure if this would happen in the real world but it seems like an outside party might be able to create a second super admin account if you never finish the install process? Even if they did, maybe it wouldn't matter since it's a brand new forum / database. Just thought I'd bring it up anyway.
I was at the administrator account creation page of a fresh 2.2 install in my test forum environment. I made a mistake (thanks to iCloud) of using a "strong" password for the account thinking iCloud would remember it and I wouldn't have to.
iCloud did not remember the password when I moved to the next step and I said "well that sucks" and hit the back button to see if I could give the account a new password. I was not able to change the password from there because the account was already created so trying to change the password on this page gave an error of "the username already exists and must be unique".
Then I tried being clever and hit the back button again, so now I'm back at the administrator account creation page of the install process. I figured I'd try a new username and a new password, essentially creating a second super administrator account before I even finished the whole install process. To my surprise, it worked.
Again, I'm not entirely sure if this would happen in the real world but it seems like an outside party might be able to create a second super admin account if you never finish the install process? Even if they did, maybe it wouldn't matter since it's a brand new forum / database. Just thought I'd bring it up anyway.