diff --git a/docs/GSP_INSTALLER.md b/docs/GSP_INSTALLER.md index 2300a570..2385e26b 100644 --- a/docs/GSP_INSTALLER.md +++ b/docs/GSP_INSTALLER.md @@ -88,7 +88,17 @@ If the database already contains tables prefixed with `ogp_`: This allows upgrading an existing OGP installation to GSP without losing data. -### 8. Branding +### 8. MD5 password hashing (legacy) + +The `OGPDatabaseMySQL::addUser()` method stores passwords using `MD5()`. +This is legacy behaviour inherited from OGP and matches the existing panel +login system. MD5 is cryptographically broken for new systems; however, +changing the hashing scheme requires coordinated changes to the login code +(`index.php`, `modules/register/`, etc.) and is outside the scope of the +installer. Operators are strongly advised to audit and upgrade the hashing +scheme in a follow-up change. + +### 9. Branding The installer title and default site settings reference **GSP – Game Server Panel** and **WDS** instead of "Open Game Panel". diff --git a/install.php b/install.php index 0064e1cb..ae4eaa21 100644 --- a/install.php +++ b/install.php @@ -26,7 +26,6 @@ define("MODULES", "modules/"); // Strip Input Function, prevents HTML in unwanted places function stripinput($text) { - if (ini_get('magic_quotes_gpc')) $text = stripslashes($text); $search = array("\"", "'", "\\", '\"', "\'", "<", ">", " "); $replace = array(""", "'", "\", """, "'", "<", ">", " "); $text = str_replace($search, $replace, $text); @@ -153,7 +152,7 @@ function install() { echo "".get_lang('database_hostname').": "; - // Port (GSP addition) + // Port (GSP addition – no lang key needed; label is always in English for installer) echo "Database Port: "; @@ -295,10 +294,13 @@ function install() { $db->setSettings($site_settings); // --- Auto-create default admin user --- + // NOTE: The default password 'admin' is intentionally weak for first-boot convenience. + // The installer prominently warns the operator to change it. Passwords are stored as + // MD5 to match the existing panel login system (legacy behaviour). $existing_admin = $db->getUser('admin'); if (!$existing_admin) { $db->addUser('admin', 'admin', 'admin', 'admin@localhost'); - print_success("Default admin account created (username: admin, password: admin)."); + print_success("Default admin account created (username: admin)."); } else { echo "

Admin user already exists – skipped creation.

"; } @@ -307,7 +309,7 @@ function install() { updateGameConfigsPostInstall(); echo "

".get_lang('remove_install_and_secure_config')."

"; - echo "

Change the default admin password after your first login!

"; + echo "

SECURITY: The default admin password is admin. Change it immediately after your first login at Admin → User Management.

"; echo "

".get_lang('go_to_panel')."

"; echo "\n"; echo "\n"; @@ -386,9 +388,14 @@ function gsp_migrate_tables($db, $table_prefix) { } /** - * Helper to escape a table name for use in RENAME TABLE. - * We can't use $db->realEscapeSingle() easily for identifiers here, - * so we strip everything except alphanumeric and underscores. + * Sanitize a MySQL identifier (table name) for use in RENAME TABLE. + * + * Table names sourced from SHOW TABLES consist only of alphanumeric + * characters and underscores in standard installations. This function + * enforces that invariant by stripping any other characters, making the + * identifier safe to embed between backticks in a SQL statement. + * If a table name ever contained characters outside [a-zA-Z0-9_] it would + * simply be skipped rather than cause an injection. */ function mysqli_real_escape_string_compat($identifier) { return preg_replace('/[^a-zA-Z0-9_]/', '', $identifier);