In SilverStripe up to and including 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
silverstripe silverstripe