Project

General

Profile

Actions
Copy link

Feature #21423

closed

Install Tool Password gets transmitted plain text

Added by Bernhard Kraft over 14 years ago. Updated over 9 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
-
Start date:
2009-11-02
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

When you log into the install tool, the password is transmitted plaintext "as is" to the server and there it gets md5 hashed and compared to the password stored in localconf.php.

It would be better to use a challenge/response like for the BE-Login

The only remaining weakness is setting the Install Tool Password right out of the Install Tool. Cause here it is again transmitted in plaintext. An asymmetric encryption could solve this problem (Not part of this bug/patch).

For the problem of plain-text Install Tool Login a patch is attached (against rev. 6310)

(issue imported from #M12430)

Files

installToolLogin_ChallengeResponse.diff (5.06 KB) installToolLogin_ChallengeResponse.diff Administrator Admin, 2009-11-02 01:01

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Feature #22245: Secure Install Tool LoginClosedNicole Cordes2010-03-06

Actions
Related to TYPO3 Core - Feature #50613: Use salted Install Tool passwordClosedNicole Cordes2013-08-01

Actions
Actions
Copy link

Also available in: Atom PDF