×
INDI Library v1.8.5 Released (19 Apr 2020)

April 2020 release of INDI Library v1.8.5 introduces new drivers while providing fixes and improvements to existing devices and core framework.

Forum does not hash passwords - major vulnerability

1 year 5 months ago
8Keep
Fresh Boarder
Fresh Boarder
Posts: 4
More
Topic Author
Forum does not hash passwords - major vulnerability #33172
I just signed up - and my password was sent to my email ... plain text. I can't believe it. Hashing passwords is so easy to do...

Please fix this! The internet doesn't need more stolen information.
The topic has been locked.
1 year 5 months ago
knro
Administrator
Administrator
Posts: 8000
Karma: 51
Forum does not hash passwords - major vulnerability #33175
Passwords are already hashed. But there is an option as well to send passwords to the registered email address which I've disabled now. It's all done over SSL so no need to panic, but it's disabled now anyway.

Jasem Mutlaq
Support INDI & Ekos; Get StellarMate Astrophotography Gadget.
How to Submit Logs when you have problems?
Add your observatory info
The topic has been locked.
1 year 5 months ago
AstroNerd
Moderator
Moderator
Posts: 807
Karma: 1
More
Forum does not hash passwords - major vulnerability #33181
What exactly are they going to steal anyway.... :)

Stellarmate OS BETA on Raspberry pi4b
Skywatcher EQ8 pro
Meade series 5000 80mm triplet Apo & Meade 8” SCT (de-forked)
Starlight Xpress SXVR H18, SXVR M25c, Lodestar Guide Camera
Pegasus Ultimate Hub for all USB & Power
Pegasus focus motors on both scopes
The topic has been locked.
1 year 5 months ago
8Keep
Fresh Boarder
Fresh Boarder
Posts: 4
More
Topic Author
Forum does not hash passwords - major vulnerability #33201
Thanks Jasem, good to know
The topic has been locked.
1 year 5 months ago
dokeeffe
Platinum Boarder
Platinum Boarder
Posts: 384
More
Forum does not hash passwords - major vulnerability #33209
How does it know the password to send in the email tough? Its good to disable that feature, but it points to something bad in the way the password is stored in the datastore. Usually they are stored in the db with a one way hash where the real password can not be recovered (without brute force). If its able to send the real password via email then there is a vulnerability there.

Celestron CPC1100 Atik 383L
HP8300 Elite i5 running Xubuntu, Indi, Kstars & Ekos
Roll off roof observatory
Battling Irish weather
github.com/dokeeffe
twitter.com/BallyhouraStars
The topic has been locked.
1 year 5 months ago
knro
Administrator
Administrator
Posts: 8000
Karma: 51
Forum does not hash passwords - major vulnerability #33219
That's the way Joomla does it. It's sent before getting hashed and stored in DB as a "reminder". I agree it is bad practice and disabled it now.

Jasem Mutlaq
Support INDI & Ekos; Get StellarMate Astrophotography Gadget.
How to Submit Logs when you have problems?
Add your observatory info
The topic has been locked.
Time to create page: 0.278 seconds