MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003285ATutorAdminpublic2008-01-11 06:212008-08-21 08:55
ReporterIndieRect 
Assigned Tocindy 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.6 
Target VersionFixed in Version1.6.1 
Summary0003285: Encrypt passwords with JavaScript
DescriptionRelated to: http://www.atutor.ca/atutor/mantis/view.php?id=3283 [^] .

As of the fresh r7219, admin passwords seem to be SHA1-hashed at the server side, that is after they have travelled in plaintext through the network. This is very insecure.

The passwords should be encrypted client-side with JavaScript.
TagsNo tags attached.
Affects versionSVN
SVN Revision#
Attached Files

- Relationships

-  Notes
(0002739)
harris (developer)
2008-01-11 06:53
edited on: 2008-01-11 06:53

The client side has also been encrypted. It is relocated in the sha-1factory.js

(0002740)
IndieRect (reporter)
2008-01-11 23:08

Probably I didn't make it clear.

The passwords during login process *are* nicely hashed with a token, right.
But when creating an admin or editing passwords they are sent in plaintext.

I believe that the following changes are needed:
1. New passwords have to be hashed before they are sent (install/include/step3.php, admin/admins/password.php, admin/admins/create.php, admin/admins/my_password.php).
2. Old passwords (admin/admins/my_password.php) should be treated the same way as the passwords during the login process -- with tokens etc.
(0002741)
harris (developer)
2008-01-15 09:02

admin/admins/my_password.php
will have to be changed with the members' password encryption.
(0002742)
harris (developer)
2008-01-15 09:04

7222
(0002759)
IndieRect (reporter)
2008-01-22 00:10

I'm sorry for reopening this issue.

No changes are made to admin/admins/my_password.php. If you're going to revisit this when adding the password encryption for members (which I suppose could be the case as it, when done at once, would require less changes to the code), please don't forget it then.
(0002769)
harris (developer)
2008-01-24 10:22

Thanks for the reminder, I will keep this in mind.
(0002824)
greg (administrator)
2008-04-16 07:13

all user passwords are now encrypted
revision 7396
(0002825)
greg (administrator)
2008-04-16 07:15

Affected files

U documentation/instructor/course_email.php
G tools/my_tests.php
G include/vitals.inc.php
U include/html/enroll_edit.inc.php
U include/lib/enroll.inc.php
U registration.php
U install/include/step3.php
A install/include/ustep_pwd_encryt.php
U install/db/atutor_schema.sql
U install/db/atutor_upgrade_1.6_to_1.6.1.sql
U blogs/delete_post.php
U themes/default/password_reminder.tmpl.php
U themes/default/users/password_change.tmpl.php
U themes/default/users/email_change.tmpl.php
U themes/default/password_change.tmpl.php
U themes/default/login.tmpl.php
U themes/default/registration.tmpl.php
U login.php
U users/email_change.php
U users/password_change.php
U sha-1factory.js
U admin/create_user.php
U admin/password_user.php
U admin/admins/password.php
U admin/admins/create.php
U admin/admins/my_password.php
U password_reminder.php

- Issue History
Date Modified Username Field Change
2008-01-11 06:21 IndieRect New Issue
2008-01-11 06:21 IndieRect Affects version => SVN
2008-01-11 06:53 harris Note Added: 0002739
2008-01-11 06:53 harris Note Edited: 0002739
2008-01-11 23:08 IndieRect Note Added: 0002740
2008-01-14 11:25 greg Status new => assigned
2008-01-14 11:25 greg Assigned To => harris
2008-01-15 09:02 harris Note Added: 0002741
2008-01-15 09:04 harris Status assigned => resolved
2008-01-15 09:04 harris Resolution open => fixed
2008-01-15 09:04 harris Note Added: 0002742
2008-01-22 00:10 IndieRect Status resolved => feedback
2008-01-22 00:10 IndieRect Resolution fixed => reopened
2008-01-22 00:10 IndieRect Note Added: 0002759
2008-01-22 06:28 harris Note Added: 0002765
2008-01-24 10:22 harris Note Added: 0002769
2008-01-24 10:22 harris Status feedback => acknowledged
2008-01-24 10:22 harris Note Deleted: 0002765
2008-04-10 06:34 harris Status acknowledged => assigned
2008-04-10 06:34 harris Assigned To harris => cindy
2008-04-16 07:13 greg Status assigned => resolved
2008-04-16 07:13 greg Fixed in Version => 1.6.1
2008-04-16 07:13 greg Resolution reopened => fixed
2008-04-16 07:13 greg Note Added: 0002824
2008-04-16 07:15 greg Note Added: 0002825
2008-08-21 08:55 greg Status resolved => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker