lifehome
commented
9 years ago Having a lookback to 2014, here we are in 2015 someday, and yet this issue is not fixed?
What a joke.
Open GIANTCRAB opened 9 years ago
lifehome
commented
9 years ago Having a lookback to 2014, here we are in 2015 someday, and yet this issue is not fixed?
What a joke.
devryan
commented
9 years ago While I have been so busy, I haven't had time to update in a while, I admit there have been security issues present. However, keep in mind this is an open source project, and people can commit fixes to the code if there are issues.
Have those addressing the issues contributed fixes for them? Just curious, because if you're not willing to write code, but you're willing to complain about a free project with 1 developer, not sure what you expect. Nor do I appreciate you calling something I spend my personal time on, that hasn't been updated in practically a year, a "joke."
I'd like to spend more of my time on this but lately, I've been to busy to do so. On Apr 10, 2015 7:59 PM, "Kevin Gilbert" notifications@github.com wrote:
Well said
— Reply to this email directly or view it on GitHub https://github.com/devryan/GamePanelX-V3/issues/105#issuecomment-91747966 .
ezspot
commented
8 years ago Keep it up @devryan , @lifehome since you got alot of time, you can contribute and help fix the problem.
Hello, I skimped through the code very briefly and was shocked by the security of the software.
Hashing for the password is very weak, users are using md5 hash function through MySQL while admins are using PHP sha1 as the hash. Although the admin's password was salted, the salt was not an unique one for every installation.
Over the years, sha1 and md5 has been considered to be weak since they can be deciphered/decrypted.
The PHP dev team had strongly suggested the use of crypt() or password_hash() which is a simple crypt() wrapper and compatible with existing password hashes.
There are also articles like this out there that supports the use of bcrypt and not sha1/2/3/256/512 or md5, etc.
References for the code:
@mysql_query("INSERT INTO users (date_created,sso_user,sso_pass,username,password,email_address,first_name,last_name) VALUES(NOW(),AES_ENCRYPT('$username', '$enc_key'),AES_ENCRYPT('$password', '$enc_key'),'$username',MD5('$password'),'$email','$first_name','$last_name')") or die('Failed to create user: '.mysql_error());$password = base64_encode(sha1('ZzaX'.$password.'GPX88'));