Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms

Severity:
High (?)
Identifier:
ss-2017-010
Versions Affected:
4.0.0
Versions Fixed:
4.0.1
Release Date:
2017-12-07

When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the `value` property of the password fields.

Sites which do not have install.php deployed are not affected.