Did you remember too....
MARCH 27 2009Developers often forget to check-up on some of the simple things when delivering a solution - especially if no review is in place. I myself try to have a checklist with certain things that should be double checked before a solution is handed over to the customer.
Here are some of the small/big things that I find we or other developers have forgotten about when delivering a Sitecore solution.
Admin Folder
The admin folder under the Sitecore folder often holds some scripts, which could make s solution vulnerable like reading the web.config file, dbbrowser (which offcourse is password protected, but still). When reading this you should ask yourself if you remembered to delete the folder, disallow anonymous access or protect it in some other way.
Sitecore 5.3 Audrey user
This one is my favourite! The audrey user in Sitecore 5.3 solutions. I can't remember how many solutions I have had to delete or disable this user, because someone else forgot to. And thus leaving the solution wide open, because audrey has a blank password.
And I could mention about 5-10 sitecore solutions that I have stumbled upon online with either the audrey, webmaster or developer user enabled. It is unfortunate that so many developers forget about these "shadow" user accounts.
Sitecore 5.2 Webmaster and Developer user
My second favourite! Probably because there aren't so many 5.2 versions out there any more, but I have taken over a bunch (well, maybe 3-4) of 5.2-solutions, which had the webmaster and developer user enabled. Although the solution had been runing for 1-2 years!
Although these user accounts may give limited access, the "hacker" would still be able to see everything in your Sitecore client. And if you have modules like the mailinglist installed, well then you are exposing the email-address of all your subscribers, right?
Discussion