PEAK XOOPS - Re: Xoops Protector 2.35 
Re: Xoops Protector 2.35
- As this forum is only for commentation, you cannot open a new topic
- Guests cannot post into this forum
| Target | Downloads |
| Subject | |
| Summary |
dasdan
From: Belgium / Ghent
Posts: 4
From: Belgium / Ghent
Posts: 4
I'm convinced of the added value of the protector module, but i would like to remark a minor security risk in the config.
If someone can get direct access to the database, IE the hosting company ... if if if ...
Protector stores the rescue password unencrypted in the xoops_config table
field: conf_name: passwd_disabling_bip
field: conf_title: _MI_PROTECTOR_PASSWD_BIP
field: conf_value: ***unencrypted password***
storing the pass MD5 encrypted seems more secure in my case
i've just noticed a new version 2.35 of protector, but the risc still exists
I have also noticed some problems , when I use relative urls in real html code enabled comments of the polls modules, I hope to find out why tomorrow.
Xoops Forum
If someone can get direct access to the database, IE the hosting company ... if if if ...
Protector stores the rescue password unencrypted in the xoops_config table
field: conf_name: passwd_disabling_bip
field: conf_title: _MI_PROTECTOR_PASSWD_BIP
field: conf_value: ***unencrypted password***
storing the pass MD5 encrypted seems more secure in my case
i've just noticed a new version 2.35 of protector, but the risc still exists
I have also noticed some problems , when I use relative urls in real html code enabled comments of the polls modules, I hope to find out why tomorrow.
Xoops Forum
Votes:0
Average:0.00
GIJOE
Posts: 4110
Posts: 4110
Quote:What you said is right.
Althogh Protector's password itself is not so important, some administrators can set it same as his important password.
It sounds an issue of usages.
I've just added an notice like this.
"Don't set this password same as your important password"
Anyway, it is better if any password is encrypted.
It will be added into Protector >= 2.4.
Quote:
What is the problem ?
HTML comment is disabled automatically by Protector.
It is a protection against XSS.
I'm convinced of the added value of the protector module, but i would like to remark a minor security risk in the config.
Althogh Protector's password itself is not so important, some administrators can set it same as his important password.
It sounds an issue of usages.
I've just added an notice like this.
"Don't set this password same as your important password"
Anyway, it is better if any password is encrypted.
It will be added into Protector >= 2.4.
Quote:
I have also noticed some problems , when I use relative urls in real html code enabled comments of the polls modules, I hope to find out why tomorrow.
What is the problem ?
HTML comment is disabled automatically by Protector.
It is a protection against XSS.
Votes:0
Average:0.00
dasdan
From: Belgium / Ghent
Posts: 4
From: Belgium / Ghent
Posts: 4
thanks to implement in your next release, what a service 
(other problem solved)
(other problem solved)
Votes:0
Average:0.00
tklee
Posts: 2
Posts: 2
Thanks VERY much for this great module. I really think this should be included into xoops core in their official release.
I was going to suggest using MD5 for password storage and realized somebody else already did. It should be a simple patch, so if you have time, could you do this for us at your earliest convenient?
Quote:
May I suggest a re-wording of this paragraph. I was quite confused. How about
I was going to suggest using MD5 for password storage and realized somebody else already did. It should be a simple patch, so if you have time, could you do this for us at your earliest convenient?
Quote:
Unfortunately you are banned by some troubles, access
http://(your xoops)/modules/protector/admin/rescue.php
Beforehand to use this feature, you have to set the password in preferences of XoopsProtector.
May I suggest a re-wording of this paragraph. I was quite confused. How about
If unfortunately you as an administrator are banned by some unexpected erros, you can directly access
http://(your xoops)/modules/protector/admin/rescue.php
but be sure to set the password in preferences of XoopsProtector in advance.
Votes:0
Average:0.00
Previous post
-
Next post
|
Parent
-
No child
|
Posted on 2005/3/16 17:45
GIJOE
Posts: 4110
Posts: 4110
hi tklee.
Thank you for teaching better English to me.
I've just modified it.
Thank you for teaching better English to me.
I've just modified it.
Votes:0
Average:0.00
Login