Hello,
As I bring my MGE2010 site closer to online, I have a question regarding the
/mapagent/index.html section and how to best lock it down. I can
see where it's a handly tool for diagnostics and such but the Server Admin
section is downright scary!
Bringing up that section allows the execution of several tasks that include
Taking the server on/offline. All the Server Admin functions call a
'serveradminhelper.(.php/.aspx/.jsp) file in it's respective mapviewerxxx
folder depending on your installation. The fun begins with the embeded
function: $cred->SetMgUsernamePassword("Administrator","admin"); (out of the
php version)
Now then, why would I want the admin UID/pw embeded in cleartext in a
function on a webserver where there appears to be NO discussion on security
in the docs anywere?!?!?!?
Also, a standard tenet of security is to rename/disable the admin account/pw
so this tool will fail until the correct credentials are corrected in
cleartext because the file is statically copied in during install and has no
method to dynamically update which is probably a REAL good thing.
How difficult would it be to at least bring up a UID/pw entry box where
action by a user is required?
How many other security holes are there that could affect our ability to
provide services to clients?
Please advise
Tom