umbraco Forum » Misc » Misc » Security flaw

Security flaw Options
Previous Topic · Next Topic
mrshrinkray
Posted: Monday, August 07, 2006 10:41:38 AM

Rank: Aficionado

Joined: 8/4/2006
Posts: 106
Location: London
Great product - it's so intuitive to use and not bloated unlike some other .NET CMS products I've used (that begin with D). I love the templating too.

There is quite a major security issue I've spotted in your password storage however. Passwords are stored in plain text in the umbracoUser table which means if someone were given access to the database, they could login as anyone.

I'd suggest storing them as hashes, at the least MD5, at the best SHA256. I'll post 2 methods for doing this in C# (not that you're not capable of finding out yourselves, but it will save you time).

I would also say that the password textbox on the users page should be a HTML password box, instead of plaintext.
Back to top
 
cpalm
Posted: Tuesday, August 08, 2006 10:14:27 AM

Rank: Aficionado

Joined: 7/19/2006
Posts: 164
Yeah, It's on the roadmap <a href="http://bugs.umbraco.org/Default.aspx?p=2&i=73">http://bugs.umbraco.org/Default.aspx?p=2&i=73</a>
But I personal would prefer if it's a option.

If a hacker has access to the database i don't think the password as plain text is the biggest concern.
CPalm, www.cpalm.dk
Back to top
 
mrshrinkray
Posted: Tuesday, August 08, 2006 3:33:30 PM

Rank: Aficionado

Joined: 8/4/2006
Posts: 106
Location: London
The person gaining access may do so legitimately by having db_datareader, in which case he can then vandalise what he wants. It's not a huge risk except to the website itself.
Back to top
 
Users browsing this topic
Guest

umbraco Forum » Misc » Misc » Security flaw


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.