Project

General

Profile

Actions

Bug #36244

closed

Status report shows security warning after Scheduler "Convert user passwords to salted hashes (saltedpasswords)"

Added by Stefan Peter over 12 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-04-17
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

After excecution of the Scheduler Job "Convert user passwords to salted hashes (saltedpasswords)" the status report still reports not converted passwords.

The reason of the message was, that there was a deleted user. His password was not converted be the job, but the report detects the missing salted password. After deleting the user directly in the database the security warning was gone.

Solution would be to change the report (don't look for deleted users) or to change the job.


Related issues 1 (0 open1 closed)

Precedes TYPO3 Core - Feature #51479: Show somehow which user passwords are treatend as unsecure.Closed2013-08-28

Actions
Actions #1

Updated by Martin Hartung over 12 years ago

A similiar issue is, that all "_cli_" accounts do not have passwords and will neither satisfy the reports-module.
This should also be taken in account when patching the extension.

Actions #2

Updated by Kay Strobach over 12 years ago

i also found out, that it's really simple to patch => users with empty password should simply get a password set during the conversion!, so the problem is more a false conversion, than a false display of information.

please see class.tx_saltedpasswords_tasks_bulkupdate.php around line 194

if (strlen($password) > 2 && (t3lib_div::isFirstPartOfStr($password, 'C$') || t3lib_div::isFirstPartOfStr($password, 'M$'))) {
    // Cut off M or C and test if we have a salted hash
    $isSaltedHash = tx_saltedpasswords_salts_factory::determineSaltingHashingMethod(substr($password, 1));
}

we should add something like this directly after the above code:

if (strlen(trim($password)) === 0) {
    $password     = $this->generateSecurePassword(); //use randomizer here
    $isSaltedHash = false;
}
Actions #3

Updated by Kay Strobach over 12 years ago

This BUG is also 4.5 LTS related!

Actions #4

Updated by Kay Strobach over 12 years ago

suggested way of generating passwords
https://defuse.ca/generating-random-passwords.htm

alternativly we could generate the password with md5(time()) AND disable the user afterwards ;) as this would be insecure.

Actions #5

Updated by Gerrit Code Review about 11 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421

Actions #6

Updated by Gerrit Code Review about 11 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421

Actions #7

Updated by Gerrit Code Review about 11 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421

Actions #8

Updated by Gerrit Code Review about 11 years ago

Patch set 1 for branch TYPO3_6-1 has been pushed to the review server.
It is available at https://review.typo3.org/23432

Actions #9

Updated by Gerrit Code Review about 11 years ago

Patch set 1 for branch TYPO3_6-0 has been pushed to the review server.
It is available at https://review.typo3.org/23433

Actions #10

Updated by Gerrit Code Review about 11 years ago

Patch set 1 for branch TYPO3_4-7 has been pushed to the review server.
It is available at https://review.typo3.org/23434

Actions #11

Updated by Gerrit Code Review about 11 years ago

Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at https://review.typo3.org/23435

Actions #12

Updated by Nicole Cordes about 11 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #13

Updated by Kay Strobach about 11 years ago

how can it be applied without a review? - anyway thanks

Actions #14

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF