Bug #19677
closed
Hardcoded md5-ization of be user password in sysext/setup/mod/index.php
0%
Description
The backend module of system extension "setup" allows to change backend user account data. Also the password of the backend user can be updated here.
In line 345 of setup/mod/index.php [1] there is Javascript coding added to put the clear text password through the javascript md5 function before submitting it via HTTP.
onchange="this.value=this.value?MD5:\'\';"
This of course makes sense if SSL is not available, but there is no way to disable it if SSL is available. It is necessary to disable the hard coded md5-ization is if a setup is using extensions like t3sec_saltedpw [2].
Suggestion: Maybe in case of HTTPS and the setting [BE][loginSecurityLevel] = normal the changed password could be sent in clear text.
Cheers,
Henning
[1] https://svn.typo3.org/TYPO3v4/Core/trunk/typo3/sysext/setup/mod/index.php
[2] http://forge.typo3.org/projects/activity/extension-t3sec_saltedpw
I have marked this bug as private because it is related to password security, maybe this can also just go public.
(issue imported from #M9888)
Updated by Marcus Krause over 15 years ago
Suggestion by Michael Stucki:
- Create a wrapper that checks for every field if there is a $TCA entry
- if so, process it (or all at the same time) through TCE
- later, set all other values manually
Since TCA can be looked up easily, that should not be too hard to do.
And it would work at least for the password field, which is why you're
thinking about all this.
Updated by Rupert Germann over 14 years ago
this bug doesn't exist anymore.
now the mentioned line has a condition, that prevents adding the onchange attribute when eval is not md5
sysext/setup/mod/index.php line 510:
if ($eval == 'md5') {
$more .= ' onchange="this.value=this.value?MD5(this.value):\'\';"';
}