search

minutils / feed-on-feeds

Released in 2003, saw the rise and fall of Google Reader, reached perfection in 2011
http://feedonfeeds.com/
GNU General Public License v2.0
14 stars 9 forks source link

Unprotected Passwords #11

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Open up phpMyAdmin (assuming you have it)
2. Log in
3. Take a look at the fof_user table

What is the expected output? What do you see instead?
Normally I would expect to see something incomprehensible.
Instead I see, to my horror, my password staring at me plain as day.

What version of the product are you using? On what operating system?
Version 4.999

Please provide any additional information below.
For my own purposes, I actually gutted much of the authentication system
and replaced it with my own because I wanted a more uniform authentication
system throughout my site. (That's how I noticed the problem.) However, for
other users, this value should be hashed before storing it in the database,
rather than when one is querying the field. (If you only hash when querying
the field, then you lose much of the benefit of hashing.)

Original issue reported on code.google.com by sm...@smcox.com on 1 Jun 2007 at 5:25

GoogleCodeExporter commented 9 years ago 
Done.  I now store a tasty hash of the password instead, seasoned with salty
username.  This requires a schema upgrade, which will be done automagically by
running "install.php".

Original comment by stevemin...@gmail.com on 6 Jun 2007 at 3:47

GoogleCodeExporter commented 9 years ago 
A salted hash? Very tasty. :-)

Original comment by sm...@smcox.com on 6 Jun 2007 at 5:22