phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012822phplist applicationConfigurationpublic04-01-08 03:0121-02-13 23:56
Reporterbenjam 
PrioritynormalSeveritymajorReproducibilityN/A
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.10.5 
Target Version4.0.xFixed in Version2.11.0 
Summary0012822: Database stores passwords in plain text
DescriptionI noticed that the admin database stores passwords in plain text. This is a huge security risk. Not only does it open up the script to outside hackers if they ever get a hold of the database, but a malicious admin with access to the database can possibly use those passwords to gain access to other sites and products where the stored username and password combinations may also be valid.

At the very least, an MD5 hash should be used to obfuscate the passwords, and preferably, a salted password MD5 hash, or both to avoid collisions, should be used.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
child of 0010998new Enhance security 

-  Notes
(0050272)
michiel (manager)
18-12-08 17:36


yes, true, would be good to encrypt them. Thing is, in that case, you can't send a password reminder, so you'd have to send a "password change token" instead.

That's quite a big change. Claudio, can you work on this?
(0050275)
user4377
30-12-08 12:31

Yes. I've been working on this, in the dev version.

1) I have added the possibility to encrypt passwords by setting a config flag. This way, when an admin is added or updated, his password is stored encrypted.

2) If the admin has problems or simply forget his password, instead of sending an email with the new password, an email is sent with a new link which points to a password update page. The link is based on a token, given to allow only that person to change that password.

3) If the link access is performed after 24 hours, the password update is denied and the request is erased. This way, the admin should perform a new password request.
(0050276)
user4377
08-01-09 17:35

Ok, changes were made.
New features are available for testing.


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker