Project

General

Profile

Actions

Bug #19677

closed

Hardcoded md5-ization of be user password in sysext/setup/mod/index.php

Added by Henning Pingel almost 16 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2008-12-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.3
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The backend module of system extension "setup" allows to change backend user account data. Also the password of the backend user can be updated here.

In line 345 of setup/mod/index.php [1] there is Javascript coding added to put the clear text password through the javascript md5 function before submitting it via HTTP.

onchange="this.value=this.value?MD5:\'\';"

This of course makes sense if SSL is not available, but there is no way to disable it if SSL is available. It is necessary to disable the hard coded md5-ization is if a setup is using extensions like t3sec_saltedpw [2].

Suggestion: Maybe in case of HTTPS and the setting [BE][loginSecurityLevel] = normal the changed password could be sent in clear text.

Cheers,
Henning

[1] https://svn.typo3.org/TYPO3v4/Core/trunk/typo3/sysext/setup/mod/index.php
[2] http://forge.typo3.org/projects/activity/extension-t3sec_saltedpw

I have marked this bug as private because it is related to password security, maybe this can also just go public.
(issue imported from #M9888)


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #20774: Change Hardcoded MD5 Password Encryption in User/SetupClosedRupert Germann2009-07-21

Actions
Actions #1

Updated by Marcus Krause almost 16 years ago

Suggestion by Michael Stucki:

- Create a wrapper that checks for every field if there is a $TCA entry
- if so, process it (or all at the same time) through TCE
- later, set all other values manually

Since TCA can be looked up easily, that should not be too hard to do.
And it would work at least for the password field, which is why you're
thinking about all this.

Actions #2

Updated by Rupert Germann about 15 years ago

this bug doesn't exist anymore.

now the mentioned line has a condition, that prevents adding the onchange attribute when eval is not md5

sysext/setup/mod/index.php line 510:

if ($eval == 'md5') {
$more .= ' onchange="this.value=this.value?MD5(this.value):\'\';"';
}
Actions

Also available in: Atom PDF