lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Joomla

Open Source Matterscms3 credentials

Credentials3 documented
01

Database Credentials

joomla / database-credentials

Joomla stores site configuration in configuration.php. Database connection settings in that file commonly include host, user, password, database, and prefix values used by the CMS.

user definedsecretusername/password

Looks like

pattern
pattern

Joomla configuration.php database password property

public\s+\$password\s*=\s*[^;\r\n]+;

Location

config file
configuration.php

Joomla site configuration containing database credentials and secrets

environment
JOOMLA_DB_USER, JOOMLA_DB_PASSWORD, JOOMLA_DB_HOST, JOOMLA_DB_NAME
secret store

hosting secrets, Docker/Kubernetes secrets, cloud secret managers, and CI/CD variables

source code

accidentally committed configuration.php files, deployment scripts, and backups

artifact

site archives, webroot backups, and container images

logs

installer logs, support bundles, and debug output

Notes

Database credentials can expose Joomla users, password hashes, content, extensions, and site configuration stored in the database.

02

Site Secret

joomla / site-secret

Joomla configuration includes secret site material used by the application for session and token protection. Exposure of configuration.php can reveal the secret alongside database credentials.

generated on installsecretsecret value

Looks like

pattern
pattern

Joomla configuration.php secret property

public\s+\$secret\s*=\s*[^;\r\n]+;

Location

config file
configuration.php

Joomla site secret and runtime configuration

source code

committed site configuration, examples, and backups

artifact

site archives and container images containing configuration.php

secret store

managed hosting and deployment secrets

Notes

The secret is not a login password but should be treated as site-specific secret material.

03

Administrator/User Password

joomla / administrator-password

Joomla administrator accounts authenticate to the administrator interface with user-defined passwords. The initial administrator account is created during installation.

user definedsecretusername/password

Location

database

Joomla users table containing account data and password hashes

public interface
/administrator

Joomla administrator login interface

source code

installation scripts, test fixtures, and accidentally committed credentials

logs

web server logs, failed login traces, and support bundles

Notes

Joomla does not have a universal administrator password; default-like credentials belong to specific installers or images if separately sourced.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.