Feature #21423
Install Tool Password gets transmitted plain text
| Status: | Rejected | Start date: | 2009-11-02 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | Install Tool | Spent time: | - | |
| Target version: | - | |||
| PHP Version: | 5.2 | Sprint Focus: | ||
| Complexity: |
Description
When you log into the install tool, the password is transmitted plaintext "as is" to the server and there it gets md5 hashed and compared to the password stored in localconf.php.
It would be better to use a challenge/response like for the BE-Login
The only remaining weakness is setting the Install Tool Password right out of the Install Tool. Cause here it is again transmitted in plaintext. An asymmetric encryption could solve this problem (Not part of this bug/patch).
For the problem of plain-text Install Tool Login a patch is attached (against rev. 6310)
(issue imported from #M12430)
Related issues
History
#1 Updated by Chris topher about 5 years ago
#2 Updated by Nicole Cordes almost 2 years ago
- Category set to Install Tool
- Status changed from New to Accepted
- Assigned To set to Nicole Cordes
- Target version deleted (
0)
#3 Updated by Mathias Schreiber 8 months ago
- Status changed from Accepted to Rejected
These things should be handled by an SSL connection.
#4 Updated by Helmut Hummel 8 months ago
The install tool must be available in many conditions which cannot be fulfilled with integrating rsa encryption.
If you are concerned with clear text transmission of your install tool password, you should not use it on a production server without SSL being enabled on the server (and probably not even then)
#5 Updated by Helmut Hummel 8 months ago
- Assigned To deleted (
Nicole Cordes)