×

INDI Library v1.7.9 Released (23 Jun 2019)

INDI Library v1.7.9 is mostly a maintenance release to fix a few bugs in several drivers.

Forum does not hash passwords - major vulnerability

  • Posts: 4
  • Thank you received: 0

Forum does not hash passwords - major vulnerability was created by 8Keep

I just signed up - and my password was sent to my email ... plain text. I can't believe it. Hashing passwords is so easy to do...

Please fix this! The internet doesn't need more stolen information.
5 months 3 weeks ago #33172
The topic has been locked.

Replied by knro on topic Forum does not hash passwords - major vulnerability

Passwords are already hashed. But there is an option as well to send passwords to the registered email address which I've disabled now. It's all done over SSL so no need to panic, but it's disabled now anyway.
Jasem Mutlaq
Support INDI & Ekos; Get StellarMate Astrophotography Gadget.
How to Submit Logs when you have problems?
Add your observatory info
5 months 3 weeks ago #33175
The topic has been locked.
  • Posts: 418
  • Karma: 1
  • Thank you received: 63

Replied by AstroNerd on topic Forum does not hash passwords - major vulnerability

What exactly are they going to steal anyway.... :)
Stellarmate OS on Raspberry pi3b+ controlled with Kubuntu laptop
Skywatcher EQ8 pro
Meade series 5000 80mm triplet Apo & Meade 8” SCT (de-forked)
Starlight Xpress SXVR H18, SXVR M25c, Lodestar Guide Camera
Pegasus Ultimate Hub for all USB & Power
Pegasus focus motors on both scopes
5 months 3 weeks ago #33181
The topic has been locked.
  • Posts: 4
  • Thank you received: 0

Replied by 8Keep on topic Forum does not hash passwords - major vulnerability

Thanks Jasem, good to know
5 months 3 weeks ago #33201
The topic has been locked.
  • Posts: 340
  • Thank you received: 63

Replied by dokeeffe on topic Forum does not hash passwords - major vulnerability

How does it know the password to send in the email tough? Its good to disable that feature, but it points to something bad in the way the password is stored in the datastore. Usually they are stored in the db with a one way hash where the real password can not be recovered (without brute force). If its able to send the real password via email then there is a vulnerability there.
Celestron CPC1100 Atik 383L
HP8300 Elite i5 running Xubuntu, Indi, Kstars & Ekos
Roll off roof observatory
Battling Irish weather
github.com/dokeeffe
twitter.com/BallyhouraStars
5 months 3 weeks ago #33209
The topic has been locked.

Replied by knro on topic Forum does not hash passwords - major vulnerability

That's the way Joomla does it. It's sent before getting hashed and stored in DB as a "reminder". I agree it is bad practice and disabled it now.
Jasem Mutlaq
Support INDI & Ekos; Get StellarMate Astrophotography Gadget.
How to Submit Logs when you have problems?
Add your observatory info
5 months 3 weeks ago #33219
The topic has been locked.
Time to create page: 0.337 seconds