HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS. ocPortal 9 is superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

Advice for the ocPortal master password

Advice for the ocPortal master password Hello,

A security researcher has contacted us to make us aware of some weaknesses in the design of our master password system.

There is no vulnerability here per se, however he/she raises some valid concerns. Essentially it boils down to us not forcing users to choose strong passwords and a lack of strong defences for brute force password guessing attempts. We can improve on what we do, and we want to provide additional advice to our users.

We want to thank Tristan Madani for providing us with a professional and detailed threat analysis.

Basic protection

We will be addressing these concerns within Composr, but to be protected please ensure your master password follows these rules:
  • at least 8 characters in length
  • contains at least 1 upper case character
  • contains at least 1 lower case character
  • contains at least 1 number
  • contains at least 1 symbol

Further optional protection

Alternatively/additionally you can temporarily remove the $SITE_INFO['admin_password']='xxx'; line from your info.php file and only put it back when you need to log into a maintenance script such as the upgrader.

To provide additional protection beyond the master password you may want to set IP-based restrictions (or temporary access blocks) to the following scripts:
  • rootkit_detection.php
  • upgrader.php
  • uninstall.php
  • data/upgrader2.php
  • config_editor.php
  • code_editor.php

Follows are sample access rules for an Apache .htaccess file to provide a temporary access block:


<FilesMatch ^((rootkit_detection|upgrader|uninstall|data/upgrader2|config_editor|code_editor)\.php)$>
   Order allow,deny
   Deny from all
You should test these rules are working correctly after applying them.

View all


There have been no trackbacks yet