Project

General

Profile

Actions

Bug #19677

closed

Hardcoded md5-ization of be user password in sysext/setup/mod/index.php

Added by Henning Pingel almost 16 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2008-12-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.3
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The backend module of system extension "setup" allows to change backend user account data. Also the password of the backend user can be updated here.

In line 345 of setup/mod/index.php [1] there is Javascript coding added to put the clear text password through the javascript md5 function before submitting it via HTTP.

onchange="this.value=this.value?MD5:\'\';"

This of course makes sense if SSL is not available, but there is no way to disable it if SSL is available. It is necessary to disable the hard coded md5-ization is if a setup is using extensions like t3sec_saltedpw [2].

Suggestion: Maybe in case of HTTPS and the setting [BE][loginSecurityLevel] = normal the changed password could be sent in clear text.

Cheers,
Henning

[1] https://svn.typo3.org/TYPO3v4/Core/trunk/typo3/sysext/setup/mod/index.php
[2] http://forge.typo3.org/projects/activity/extension-t3sec_saltedpw

I have marked this bug as private because it is related to password security, maybe this can also just go public.
(issue imported from #M9888)


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #20774: Change Hardcoded MD5 Password Encryption in User/SetupClosedRupert Germann2009-07-21

Actions
Actions

Also available in: Atom PDF