|Anonymous | Login | Signup for a new account||2017-12-17 20:19 EST|
|My View | View Issues | Change Log | Roadmap | Repositories | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003285||ATutor||Admin||public||2008-01-11 06:21||2008-08-21 08:55|
|Target Version||Fixed in Version||1.6.1|
|Description||Related to: http://www.atutor.ca/atutor/mantis/view.php?id=3283 [^] .|
As of the fresh r7219, admin passwords seem to be SHA1-hashed at the server side, that is after they have travelled in plaintext through the network. This is very insecure.
|Tags||No tags attached.|
edited on: 2008-01-11 06:53
The client side has also been encrypted. It is relocated in the sha-1factory.js
Probably I didn't make it clear.
The passwords during login process *are* nicely hashed with a token, right.
But when creating an admin or editing passwords they are sent in plaintext.
I believe that the following changes are needed:
1. New passwords have to be hashed before they are sent (install/include/step3.php, admin/admins/password.php, admin/admins/create.php, admin/admins/my_password.php).
2. Old passwords (admin/admins/my_password.php) should be treated the same way as the passwords during the login process -- with tokens etc.
will have to be changed with the members' password encryption.
I'm sorry for reopening this issue.
No changes are made to admin/admins/my_password.php. If you're going to revisit this when adding the password encryption for members (which I suppose could be the case as it, when done at once, would require less changes to the code), please don't forget it then.
|Thanks for the reminder, I will keep this in mind.|
all user passwords are now encrypted
|2008-01-11 06:21||IndieRect||New Issue|
|2008-01-11 06:21||IndieRect||Affects version||=> SVN|
|2008-01-11 06:53||harris||Note Added: 0002739|
|2008-01-11 06:53||harris||Note Edited: 0002739|
|2008-01-11 23:08||IndieRect||Note Added: 0002740|
|2008-01-14 11:25||greg||Status||new => assigned|
|2008-01-14 11:25||greg||Assigned To||=> harris|
|2008-01-15 09:02||harris||Note Added: 0002741|
|2008-01-15 09:04||harris||Status||assigned => resolved|
|2008-01-15 09:04||harris||Resolution||open => fixed|
|2008-01-15 09:04||harris||Note Added: 0002742|
|2008-01-22 00:10||IndieRect||Status||resolved => feedback|
|2008-01-22 00:10||IndieRect||Resolution||fixed => reopened|
|2008-01-22 00:10||IndieRect||Note Added: 0002759|
|2008-01-22 06:28||harris||Note Added: 0002765|
|2008-01-24 10:22||harris||Note Added: 0002769|
|2008-01-24 10:22||harris||Status||feedback => acknowledged|
|2008-01-24 10:22||harris||Note Deleted: 0002765|
|2008-04-10 06:34||harris||Status||acknowledged => assigned|
|2008-04-10 06:34||harris||Assigned To||harris => cindy|
|2008-04-16 07:13||greg||Status||assigned => resolved|
|2008-04-16 07:13||greg||Fixed in Version||=> 1.6.1|
|2008-04-16 07:13||greg||Resolution||reopened => fixed|
|2008-04-16 07:13||greg||Note Added: 0002824|
|2008-04-16 07:15||greg||Note Added: 0002825|
|2008-08-21 08:55||greg||Status||resolved => closed|
|Copyright © 2000 - 2017 MantisBT Team|