Bug#614304: [dtcdev] Re: Bug#614304: dtc-common: does store user passwords unhashed in the database

On 04/08/2011 09:49 PM, Thomas Goirand wrote: > On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: >> Hi Thomas, >> >> I noticed you prepared a patch[1] using MySQL's PASSWORD() function. >> Please note that this function should *not* be used by applications >> besides MySQL itself[2] in addition to n

Bug#614304: dtc-common: does store user passwords unhashed in the database

Hi, Thomas Goirand writes: > On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: >> I noticed you prepared a patch[1] using MySQL's PASSWORD() function. >> Please note that this function should *not* be used by applications >> besides MySQL itself[2] in addition to not salting the hash. The crypt >>

Bug#614304: dtc-common: does store user passwords unhashed in the database

On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: > Hi Thomas, > > I noticed you prepared a patch[1] using MySQL's PASSWORD() function. > Please note that this function should *not* be used by applications > besides MySQL itself[2] in addition to not salting the hash. The crypt > function included

Bug#614304: dtc-common: does store user passwords unhashed in the database

Hi Thomas, I noticed you prepared a patch[1] using MySQL's PASSWORD() function. Please note that this function should *not* be used by applications besides MySQL itself[2] in addition to not salting the hash. The crypt function included in PHP itself[3] with salting and a modern hash like SHA-512

Bug#614304: dtc-common: does store user passwords unhashed in the database

severity 614304 critical tags 614304 + security thanks Thomas Goirand writes: >> Yes.  He could have gained read-only access or just access to an offline >> copy (for example a backup copy).  Also many people reuse passwords >> (yes, it's a bad idea, but people do), so this would allow compromi

Bug#614304: dtc-common: does store user passwords unhashed in the database

- Original message - > Yes.  He could have gained read-only access or just access to an offline > copy (for example a backup copy).  Also many people reuse passwords > (yes, it's a bad idea, but people do), so this would allow compromise of > further systems. Sure, you "could" and it "w

Bug#614304: dtc-common: does store user passwords unhashed in the database

Thomas Goirand writes: > On 02/21/2011 06:07 AM, Ansgar Burchardt wrote: >> dtc stores user passwords unencrypted in the database: >> >> $q = "INSERT INTO $pro_mysql_new_admin_table >> (reqadm_login, >> reqadm_pass, >> [...] >> VALUES('".$_REQUEST["reqadm_login"]."', >> '".$_REQUEST["

Bug#614304: dtc-common: does store user passwords unhashed in the database

On 02/21/2011 06:07 AM, Ansgar Burchardt wrote: > Package: dtc-common > Version: 0.29.17-1 > Severity: grave > Tags: upstream security > > dtc stores user passwords unencrypted in the database: > > $q = "INSERT INTO $pro_mysql_new_admin_table > (reqadm_login, > reqadm_pass, > [...] > VA

Bug#614304: dtc-common: does store user passwords unhashed in the database

Package: dtc-common Version: 0.29.17-1 Severity: grave Tags: upstream security dtc stores user passwords unencrypted in the database: $q = "INSERT INTO $pro_mysql_new_admin_table (reqadm_login, reqadm_pass, [...] VALUES('".$_REQUEST["reqadm_login"]."', '".$_REQUEST["reqadm_pass"]."',