Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Basically it is only an issue when an install is web facing and accessible without a login set. Proper fix is a new popup forcing users to set a username/password on their install if some check is done that shows it is accessible from the internet without a password. I think that if there is no login set, we should determine the public IP/address and try a get_url to it, and then check for a value on the page. If the get_url finds the value we know the user does not have a proxy or other method that is securing the service on the web, and we should block access from the public IP and pop up a modal when accessed from a machine on the local network that explains the problem and forces them to set a password.
The other fix for the exact issue @Sudneo reported is related to external post processing scripts. I won't go into the details but we need to sanitize the input and force the user to put the script into the SC data (or a new "scripts" folder), and then limit the $PATH so that other system utilities cannot be called with arguments that would escalate accessibility to the machine.
Both of these things need to be done, if you are interested in working on either of them @WebSpider? I've been quite busy with family and holidays, but these have been very high priority for a really long time now lol...