I'm convinced of the added value of the protector module, but i would like to remark a minor security risk in the config.
If someone can get direct access to the database, IE the hosting company ... if if if ...
Protector stores the rescue password unencrypted in the xoops_config table
field: conf_name: passwd_disabling_bip
field: conf_title: _MI_PROTECTOR_PASSWD_BIP
field: conf_value: ***unencrypted password***
storing the pass MD5 encrypted seems more secure in my case
i've just noticed a new version 2.35 of protector, but the risc still exists
I have also noticed some problems , when I use relative urls in real html code enabled comments of the polls modules, I hope to find out why tomorrow.
Xoops Forum
Quote:
I'm convinced of the added value of the protector module, but i would like to remark a minor security risk in the config.
What you said is right.
Althogh Protector's password itself is not so important, some administrators can set it same as his important password.
It sounds an issue of usages.
I've just added an notice like this.
"Don't set this password same as your important password"
Anyway, it is better if any password is encrypted.
It will be added into Protector >= 2.4.
Quote:
I have also noticed some problems , when I use relative urls in real html code enabled comments of the polls modules, I hope to find out why tomorrow.
What is the problem ?
HTML comment is disabled automatically by Protector.
It is a protection against XSS.
thanks to implement in your next release, what a service
(other problem solved)
Thanks VERY much for this great module. I really think this should be included into xoops core in their official release.
I was going to suggest using MD5 for password storage and realized somebody else already did. It should be a simple patch, so if you have time, could you do this for us at your earliest convenient?
Quote:
Unfortunately you are banned by some troubles, access
http://(your xoops)/modules/protector/admin/rescue.php
Beforehand to use this feature, you have to set the password in preferences of XoopsProtector.
May I suggest a re-wording of this paragraph. I was quite confused. How about
If unfortunately you as an administrator are banned by some unexpected erros, you can directly access
http://(your xoops)/modules/protector/admin/rescue.php
but be sure to set the password in preferences of XoopsProtector in advance.
hi tklee.
Thank you for teaching better English to me.
I've just modified it.