MantisBT - ATutor
View Issue Details
0003285ATutorAdminpublic2008-01-11 06:212008-08-21 08:55
IndieRect 
cindy 
normalmajoralways
closedfixed 
1.6 
1.6.1 
SVN
0003285: Encrypt passwords with JavaScript
Related to: http://www.atutor.ca/atutor/mantis/view.php?id=3283 [^] .

As of the fresh r7219, admin passwords seem to be SHA1-hashed at the server side, that is after they have travelled in plaintext through the network. This is very insecure.

The passwords should be encrypted client-side with JavaScript.
No tags attached.
Issue History
2008-01-11 06:21IndieRectNew Issue
2008-01-11 06:21IndieRectAffects version => SVN
2008-01-11 06:53harrisNote Added: 0002739
2008-01-11 06:53harrisNote Edited: 0002739
2008-01-11 23:08IndieRectNote Added: 0002740
2008-01-14 11:25gregStatusnew => assigned
2008-01-14 11:25gregAssigned To => harris
2008-01-15 09:02harrisNote Added: 0002741
2008-01-15 09:04harrisStatusassigned => resolved
2008-01-15 09:04harrisResolutionopen => fixed
2008-01-15 09:04harrisNote Added: 0002742
2008-01-22 00:10IndieRectStatusresolved => feedback
2008-01-22 00:10IndieRectResolutionfixed => reopened
2008-01-22 00:10IndieRectNote Added: 0002759
2008-01-22 06:28harrisNote Added: 0002765
2008-01-24 10:22harrisNote Added: 0002769
2008-01-24 10:22harrisStatusfeedback => acknowledged
2008-01-24 10:22harrisNote Deleted: 0002765
2008-04-10 06:34harrisStatusacknowledged => assigned
2008-04-10 06:34harrisAssigned Toharris => cindy
2008-04-16 07:13gregStatusassigned => resolved
2008-04-16 07:13gregFixed in Version => 1.6.1
2008-04-16 07:13gregResolutionreopened => fixed
2008-04-16 07:13gregNote Added: 0002824
2008-04-16 07:15gregNote Added: 0002825
2008-08-21 08:55gregStatusresolved => closed

Notes
(0002739)
harris   
2008-01-11 06:53   
The client side has also been encrypted. It is relocated in the sha-1factory.js

(0002740)
IndieRect   
2008-01-11 23:08   
Probably I didn't make it clear.

The passwords during login process *are* nicely hashed with a token, right.
But when creating an admin or editing passwords they are sent in plaintext.

I believe that the following changes are needed:
1. New passwords have to be hashed before they are sent (install/include/step3.php, admin/admins/password.php, admin/admins/create.php, admin/admins/my_password.php).
2. Old passwords (admin/admins/my_password.php) should be treated the same way as the passwords during the login process -- with tokens etc.
(0002741)
harris   
2008-01-15 09:02   
admin/admins/my_password.php
will have to be changed with the members' password encryption.
(0002742)
harris   
2008-01-15 09:04   
7222
(0002759)
IndieRect   
2008-01-22 00:10   
I'm sorry for reopening this issue.

No changes are made to admin/admins/my_password.php. If you're going to revisit this when adding the password encryption for members (which I suppose could be the case as it, when done at once, would require less changes to the code), please don't forget it then.
(0002769)
harris   
2008-01-24 10:22   
Thanks for the reminder, I will keep this in mind.
(0002824)
greg   
2008-04-16 07:13   
all user passwords are now encrypted
revision 7396
(0002825)
greg   
2008-04-16 07:15   
Affected files

U documentation/instructor/course_email.php
G tools/my_tests.php
G include/vitals.inc.php
U include/html/enroll_edit.inc.php
U include/lib/enroll.inc.php
U registration.php
U install/include/step3.php
A install/include/ustep_pwd_encryt.php
U install/db/atutor_schema.sql
U install/db/atutor_upgrade_1.6_to_1.6.1.sql
U blogs/delete_post.php
U themes/default/password_reminder.tmpl.php
U themes/default/users/password_change.tmpl.php
U themes/default/users/email_change.tmpl.php
U themes/default/password_change.tmpl.php
U themes/default/login.tmpl.php
U themes/default/registration.tmpl.php
U login.php
U users/email_change.php
U users/password_change.php
U sha-1factory.js
U admin/create_user.php
U admin/password_user.php
U admin/admins/password.php
U admin/admins/create.php
U admin/admins/my_password.php
U password_reminder.php