Feature #21423
closed
Install Tool Password gets transmitted plain text
0%
Description
When you log into the install tool, the password is transmitted plaintext "as is" to the server and there it gets md5 hashed and compared to the password stored in localconf.php.
It would be better to use a challenge/response like for the BE-Login
The only remaining weakness is setting the Install Tool Password right out of the Install Tool. Cause here it is again transmitted in plaintext. An asymmetric encryption could solve this problem (Not part of this bug/patch).
For the problem of plain-text Install Tool Login a patch is attached (against rev. 6310)
(issue imported from #M12430)
Files
Updated by Chris topher almost 14 years ago
Updated by Nicole Cordes over 10 years ago
- Category set to Install Tool
- Status changed from New to Accepted
- Assignee set to Nicole Cordes
- Target version deleted (
0)
Updated by Mathias Schreiber over 9 years ago
- Status changed from Accepted to Rejected
These things should be handled by an SSL connection.
Updated by Helmut Hummel over 9 years ago
The install tool must be available in many conditions which cannot be fulfilled with integrating rsa encryption.
If you are concerned with clear text transmission of your install tool password, you should not use it on a production server without SSL being enabled on the server (and probably not even then)