Bug #25367
closedrsaauth does not encrypt new passwords entered in forgot password form
0%
Description
I'm using felogin with saltedpasswords and rsaauth. Login works fine: I enter username and password and after clicking on loginbutton, password is modfied via javascript. Source code of login form shows:
... onsubmit="tx_rsaauth_feencrypt(this);; return true;" ...
In the form in which user can change his password (form shown, after clicking on link in forgot-password-mail), there seems to be no modification via JavaScript. After clicking the button to save the new password, password field is not modified, in source code of the form I could not find a any javascript like the one above.
Can anybody reproduce this problem?
I could send a link and a username per e-mail if needed.
(issue imported from #M18002)
Updated by Felix Nagel over 13 years ago
- Target version deleted (
0)
I am able to reproduce this issue in TYPO3 4.4.7
Updated by Felix Nagel over 13 years ago
Seems the password change does work, but the pass is submitted in plain, not encryped. So this is a security issue, not a show stopper.
Updated by Steffen Gebert over 13 years ago
- Category changed from Communication to Authentication
Updated by Gerrit Code Review over 11 years ago
- Status changed from New to Under Review
Patch set 17 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/17256
Updated by Gerrit Code Review about 10 years ago
Patch set 18 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/17256
Updated by Christian Kuhn almost 10 years ago
- Status changed from Under Review to New
- Is Regression set to No
The patch was stalled in review for a very long time. It was abandoned to keep the review list a bit more clean. If anyone wants to pick up again, feel free to push a new patch.
Updated by Riccardo De Contardi almost 9 years ago
I think it is still relevant in current 8.1 master: if I put a login form in a page and disable javascript, then it is not possible to log in,
Updated by Riccardo De Contardi over 7 years ago
- Related to Task #80018: Deprecate usage of EXT:rsaauth added
Updated by Riccardo De Contardi over 7 years ago
- Related to Task #81852: Deprecate EXT:rsaauth added
Updated by Georg Ringer over 6 years ago
- Status changed from New to Closed
I am closing this issue even though it is still valid. Reasion is that rsauth has been deprecated and will be removed in 10. HTTPS is, especially with let's encrypt, a must have and easy to get. also from SEO perspective it is now important and if https is available rsaauth can be dropped also in 7 or 8.