Task #59233

Do not transfer content of fields with eval=password

Added by Franz G. Jahn about 5 years ago. Updated almost 2 years ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2014-05-30
Due date:
% Done:

0%

TYPO3 Version:
8
PHP Version:
Tags:
security
Complexity:
hard
Sprint Focus:

Description

When you edit an arbitrary record with a password field, the content of the password field (as stored in the database) is transfered to the user. This affects i.e. the value of backend user passwords if the backend user record is edited by admins. This might imply that the password hash is transfered over an unencrypted connection without any need.

It would be nice if the content of password fields would not be part of the delivered html.


Related issues

Duplicated by TYPO3 Core - Task #70214: rsaauth should not send hashed password hash to formengine Closed 2015-09-30
Duplicated by TYPO3 Core - Task #80017: Security: Do not send password hashes when editing user records Closed 2017-02-25

History

#1 Updated by Mathias Schreiber over 3 years ago

  • Tracker changed from Feature to Task
  • Target version set to Candidate for patchlevel
  • TYPO3 Version set to 6.2

Affected elements:

  • FormEngine InputElement
  • FormEngine RSAElement
Solution 1:
  • autocomplete = off
  • set hidden field to disabled and only set enabled on change
  • remove hidden field value

#2 Updated by Markus Klein over 3 years ago

  • Category set to FormEngine aka TCEforms
  • Status changed from New to Accepted
  • Assignee set to Markus Klein
  • Priority changed from Should have to Must have
  • Complexity set to hard

Will be fixed in CMS 7 only if possible at all, otherwise CMS 8.

#3 Updated by Helmut Hummel about 3 years ago

  • Tags set to security

#4 Updated by Helmut Hummel about 3 years ago

  • TYPO3 Version changed from 6.2 to 8

#5 Updated by Helmut Hummel about 3 years ago

  • Category changed from FormEngine aka TCEforms to Security
  • Target version changed from Candidate for patchlevel to 8 LTS

#6 Updated by Benni Mack over 2 years ago

  • Target version changed from 8 LTS to Candidate for patchlevel

#7 Updated by Markus Klein almost 2 years ago

  • Assignee deleted (Markus Klein)
  • Priority changed from Must have to Should have

#8 Updated by Oliver Hader 8 months ago

  • Duplicated by Task #80017: Security: Do not send password hashes when editing user records added

Also available in: Atom PDF