Project

General

Profile

Actions

Task #59233

open

Do not transfer content of fields with eval=password

Added by Franz G. Jahn almost 10 years ago. Updated over 6 years ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2014-05-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
security
Complexity:
hard
Sprint Focus:

Description

When you edit an arbitrary record with a password field, the content of the password field (as stored in the database) is transfered to the user. This affects i.e. the value of backend user passwords if the backend user record is edited by admins. This might imply that the password hash is transfered over an unencrypted connection without any need.

It would be nice if the content of password fields would not be part of the delivered html.


Related issues 2 (0 open2 closed)

Has duplicate TYPO3 Core - Task #70214: rsaauth should not send hashed password hash to formengineClosedMarkus Klein2015-09-30

Actions
Has duplicate TYPO3 Core - Task #80017: Security: Do not send password hashes when editing user recordsClosed2017-02-25

Actions
Actions #1

Updated by Mathias Schreiber over 8 years ago

  • Tracker changed from Feature to Task
  • Target version set to Candidate for patchlevel
  • TYPO3 Version set to 6.2

Affected elements:

  • FormEngine InputElement
  • FormEngine RSAElement
Solution 1:
  • autocomplete = off
  • set hidden field to disabled and only set enabled on change
  • remove hidden field value
Actions #2

Updated by Markus Klein over 8 years ago

  • Category set to FormEngine aka TCEforms
  • Status changed from New to Accepted
  • Assignee set to Markus Klein
  • Priority changed from Should have to Must have
  • Complexity set to hard

Will be fixed in CMS 7 only if possible at all, otherwise CMS 8.

Actions #3

Updated by Helmut Hummel almost 8 years ago

  • Tags set to security
Actions #4

Updated by Helmut Hummel almost 8 years ago

  • TYPO3 Version changed from 6.2 to 8
Actions #5

Updated by Helmut Hummel almost 8 years ago

  • Category changed from FormEngine aka TCEforms to Security
  • Target version changed from Candidate for patchlevel to 8 LTS
Actions #6

Updated by Benni Mack almost 7 years ago

  • Target version changed from 8 LTS to Candidate for patchlevel
Actions #7

Updated by Markus Klein over 6 years ago

  • Assignee deleted (Markus Klein)
  • Priority changed from Must have to Should have
Actions #8

Updated by Oliver Hader over 5 years ago

  • Has duplicate Task #80017: Security: Do not send password hashes when editing user records added
Actions

Also available in: Atom PDF