Project

General

Profile

Actions

Feature #21423

closed

Install Tool Password gets transmitted plain text

Added by Bernhard Kraft about 15 years ago. Updated almost 10 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
-
Start date:
2009-11-02
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

When you log into the install tool, the password is transmitted plaintext "as is" to the server and there it gets md5 hashed and compared to the password stored in localconf.php.

It would be better to use a challenge/response like for the BE-Login

The only remaining weakness is setting the Install Tool Password right out of the Install Tool. Cause here it is again transmitted in plaintext. An asymmetric encryption could solve this problem (Not part of this bug/patch).

For the problem of plain-text Install Tool Login a patch is attached (against rev. 6310)

(issue imported from #M12430)


Files


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Feature #22245: Secure Install Tool LoginClosedNicole Cordes2010-03-06

Actions
Related to TYPO3 Core - Feature #50613: Use salted Install Tool passwordClosedNicole Cordes2013-08-01

Actions
Actions #1

Updated by Chris topher over 14 years ago

Result of the discussion in Core List is to better use asymmetric encryption (like RSA) to secure the data transfer.

People agreed in #22245 (see Core List), that at least that should be done with #22245.

Actions #2

Updated by Nicole Cordes about 11 years ago

  • Category set to Install Tool
  • Status changed from New to Accepted
  • Assignee set to Nicole Cordes
  • Target version deleted (0)
Actions #3

Updated by Mathias Schreiber almost 10 years ago

  • Status changed from Accepted to Rejected

These things should be handled by an SSL connection.

Actions #4

Updated by Helmut Hummel almost 10 years ago

The install tool must be available in many conditions which cannot be fulfilled with integrating rsa encryption.

If you are concerned with clear text transmission of your install tool password, you should not use it on a production server without SSL being enabled on the server (and probably not even then)

Actions #5

Updated by Helmut Hummel almost 10 years ago

  • Assignee deleted (Nicole Cordes)
Actions

Also available in: Atom PDF