lolcreds

Public credential defaults and exposure patterns for authorized security testing.

TikiWiki / Tiki CMS Groupware

Tiki Software Community Associationcms3 credentials

Credentials3 documented
01

User Password Hash

tikiwiki / user-password-hash

Tiki stores local users and password verifier data in its database for wiki/CMS/groupware authentication unless external auth is used.

user definedsecretusername/password

Location

database

Tiki user tables containing local account password hashes and login state

public interface
Tiki login, web UI, and service endpoints
artifact

database dumps and site backups

02

Token Access Secret

tikiwiki / token-access

Tiki supports token access features that allow generated tokens to grant access according to configured permissions and expiry.

generated on installuser definedsecrettoken

Location

http header
Authorization

Bearer or token-style usage by API/integration clients where configured

database

Tiki token access records and permissions

config file

integration scripts, URL tokens, and automation settings

secret store

password managers and CI/CD secrets

logs

web server access logs and integration traces

03

Database, Mail, LDAP, and OAuth Secrets

tikiwiki / db-mail-ldap-oauth-secrets

Tiki installations contain database credentials, SMTP passwords, LDAP bind credentials, OAuth client secrets, and other integration secrets in local config and database settings.

user definedgenerated on installsecretsecret value

Location

config file
db/local.php

database connection credentials and local site configuration

database

preference and integration tables containing service secrets

secret store

Kubernetes/Docker secrets, vaults, and password managers

source code

deployment manifests and committed site configs

logs

mail, LDAP, OAuth, and installer debug logs

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.