ZHENFENG13
commented
2 weeks ago your idea is good, but this project tends to be a learning project. if u want to enhance it, u can modify it by yourself.
Closed MarkLee131 closed 2 weeks ago
ZHENFENG13
commented
2 weeks ago your idea is good, but this project tends to be a learning project. if u want to enhance it, u can modify it by yourself.
Really appreciate your dedication and hard work in developing and maintaining this project!@ZHENFENG13
However, the current framework uses
MD5for password hashing and session token generation, which poses significant security risks.Some of my observed affected areas:
MD5Util.java: MD5 is used as a general-purpose hashing utility (similar toSystemUtil.java). https://github.com/newbee-ltd/newbee-mall/blob/613a662adf1da7623ec34459bc83e3c1b12d8ce7/src/main/java/ltd/newbee/mall/util/MD5Util.java#L34tb_newbee_mall_usertable: Thepassword_md5column stores MD5-hashed passwords.https://github.com/newbee-ltd/newbee-mall/blob/613a662adf1da7623ec34459bc83e3c1b12d8ce7/src/main/resources/newbee_mall_schema.sql#L1005
PersonalController.java: MD5 is used to hash passwords during login.MallUser.java: ThepasswordMd5field stores user passwords as MD5 hashes.AdminUserServiceImpl.java: Admin passwords are hashed with MD5 during login and password updates.MD5 is vulnerable to collision and brute-force attacks, making it unsuitable for protecting sensitive data. Will this project consider replacing
MD5with a secure hashing algorithm, such asbcrypt, to ensure better protection for user credentials and sensitive data? It will greatly enhance the overall security and resilience of the system and benefit the numerous users of this framework.Looking forward to your reply. Thanks!
References: [1] https://cwe.mitre.org/data/definitions/327.html [2] https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography.html