Does Sitecake have any known security Vulnerabilities?
Does Sitecake Send any information about my server to you guys?
is there anything i can do to further secure the sitecake editor on my server?
We do not know for any vulnerabilities. If we did we would fix them 
Sitecake is not Wordpress, it’s tiny compared to Wordpress and thus we are not the target for hackers. It’s waste of time for them to create scripts to probe Sitecake websites. So you are secured in the start since you are using special CMS, not one of big guys.
You can boost security by renaming sitecake.php to anything you want. So no probes would be able to detect Sitecake on the server.
Sitecake is not running websites like Wordpress do, you just use it for editing a website (like you would with Dreamweaver or similar package, and you are not concerned if Dreamweaver is secure 
) and after editing you can delete SItecake if you want and your website would keep working.
And yes, we do encrypt admin password 
2 Likes
I Did notice the Admin Password was encrypted, Would it be possible in the future to be able to script in additional users
Also if i wanted to manually set the password what format should i encrypt my string in?
What I Did was Renamed my sitecake.php and i used a rewrite rule to display a different page when trying to access sitecake.php
.htaccess file
RewriteEngine on
RewriteRule ^sitecake.php$ rekt.html (or whatever resource you want)
but the question remains
if i wanted to manually set the password what format should i encrypt my string in? that way i dont have to reset the default password to admin if i ever need to i can just set it to the password i prefer
NIK
I have discovered a bug in sitecake.
when you rename sitecake.php on the server and log in to it, you can only edit the index page, when ever you try and change pages it is looking for sitecake.php even though it was renamed.
You are right about renaming sitecake.php. It works only with one page websites. We make this to be configurabile in one of next releases.
Regarding password encription, we use SHA1 algo for encription. You can create your encripted passwords and save in credentials.php file.
Is the hash generated directly from the password string or is there some salt involved somewhere? I can’t see any mention of salt anywhere, but just wanted to check.
Sorry to bring this thread up again but I didn’t think my question needed an entirely new thread.
No salt as far as we know
No salt, i just hash the password and paste the hash in