Creating new feuser in frontend saves password in plain text into the database

[angeloprevitali]

If you add a registration form in the FE with EXT:femanager to create a new profile for a feuser the created password will be set as plain text in the database.

If set upped a new feuser in the backend of a TYPO3 9.5.5 the Hash works perfect.

If you modify a exiting profile which has been set upped in the backend of the TYPO3 and editred in the frontend the password gets resetted as plain text again.

TYPO3 version: 9.5.5 EXT:femanager version 5.0.0 OS: Linux PHP: 7.2 Configuration Presets in Install-Tool: Is NOT Argon2i - but others actived (see printscreen)

[tomgloeckler]

Same here. Obviously femanager is a little „behind“... these are the available options in its UserUtility.php class:

/**
     * Hash a password from $user->getPassword()
     *
     * @param User $user
     * @param string $method "md5", "sha1" or "none"
     * @return void
     */
    public static function hashPassword(User &$user, $method)
    {
        switch ($method) {
            case 'none':
                break;

            case 'md5':
                $user->setPassword(md5($user->getPassword()));
                break;

            case 'sha1':
                $user->setPassword(sha1($user->getPassword()));
                break;

            default:
                if (ExtensionManagementUtility::isLoaded('saltedpasswords')) {
                    if (SaltedPasswordsUtility::isUsageEnabled('FE')) {
                        $objInstanceSaltedPw = SaltFactory::getSaltingInstance();
                        $user->setPassword($objInstanceSaltedPw->getHashedPassword($user->getPassword()));
                    }
                }
        }
    }

The current TYPO3 version uses none of them, Salted Passwords is not installed either, so there you go … pw is stored as plaintext when e.g. editing your profile/changing your current pw. Holy crap!

[tomgloeckler]

Possible Workaround: Employ your own controllers to stand in for femanager’s NewControllerand EditController. (e.g. via ext_typoscript_setup.txt) In your custom controllers replace UserUtility::convertPassword($user, $this->settings['edit']['misc']['passwordSave']); with this:

$hasher = $this->passwordHashFactory->getDefaultHashInstance('FE');
$password = $hasher->getHashedPassword($user->getPassword());
$user->setPassword($password);

Don't forget to inject passwordHashFactory in your controllers and to declare usestatements for classes used by the original controllers. Et voilà – users get/keep their passwords hashed according to your TYPO3 settings when signing on/changing their password.

[clivebeckett]

Same problem with Argon2i activated as hashing algorithm. I think this is quite a serious issue, not only because of poor security with passwords being stored in plain text but also because it just makes the whole extension useless: You just cannot login via the default login form as this properly hashes the password and compares it to the plain text one in the database.

Possible Workaround: Employ your own controllers to stand in for femanager’s NewControllerand EditController. (e.g. via ext_typoscript_setup.txt)

Can anyone give me a hint how to tell my T3 installation to use a customised controller instead of an extension’s default one? A short web search for ext_typoscript_setup.txt returns that this is something deprecated for years and that “static templates or usage of the Extension Management API of class TYPO3\CMS\Core\Utility\ExtensionManagementUtility are preferred.”

[tomgloeckler]

Indeed, @clivebeckett , it is serious! A frontend user changes their password, and that's it … no login possible anymore.

And maybe the ext_typoscript_setup.txt way of doing it is deprecated (I'm not a TYPO3 master), but for me it worked. If someone can give a more up-to-date piece of code – go ahead..! ;)

[ceekay73]

Any news on this issue or plans when a fix will be provided? Would be great because this makes femanager almost unusuable for TYPO3 9.5 at the moment.

[sbusemann]

this issue is solved in version 5.1.0 - thanks for your patience.