wiki | forum | trac | otrs | joomla | tech blog | mailman | bewelcome Branches: test.bw | alpha.bw | www.bw Participate: download | get involved

Ticket #364 (new bug)

Opened 7 months ago

Last modified 6 months ago

Way to use password in query at login

Reported by: jeanyves Assigned to: jeanyves
Priority: major Milestone: unassigned
Component: unknown Version:
Keywords: security password Cc:
Follow up needed: review code Frequently reported: 1
Announce on BW: 0

Description

In bwauthlib there is the following query (a similar one was in old BW)

$query = "SELECT id,Status,Username FROM members WHERE Username='" . $this->dao->escape($handle) . "' AND PassWord? = PASSWORD('".$this->dao->escape($password)."')";

the nasty effect if that if the Query is log because it is delay (it has happen yesterday), the password is recorded in plain text in the log

Change History

01/26/08 16:50:17 changed by jeanyves

  • follow_up changed from none to review code.

I have done a partila improvment

I now realize that these password should be md5() or similar, I don't find way to do a proper test "is the entered password corresponding to the one mysql PASSWORD() function will compute" without risking a query log.

I propose an improvment wich will reduce the risk of slow log recording the password in plain text

Please comment

02/27/08 10:31:59 changed by feuerdaemon

  • freq_reported set to 1.
  • show_on_bw changed.

The Passwords arn't stored crypted in the DB?

I thought the DB has only the crypted pwd. The SM- and PHPBB3-Forum use it like this:

Someone has transmitted the password 'test'. After you checked, that the transmitted string isn't any risk to use (spoof-free, code-free, etc. = it just means it's save to handle)- you encrypt it (in that case with md5() ) and hold it in the var (in the var is the md5 value for the string 'test' -> 81dc9bdb52d04dc20036dbd8313ed055). And with that, you can work -> Put it in the DB, compare it, etc.

Cause in the DB is only the md5 value for your password you can just compare the (crypted) var with the (also crypted) DB value. Then there is also no problem to log the (crypted) pwd somewhere. Sure, you should try to NOT log any (also crypted) pwd somewhere.

But while this is a problem with a querry to the DB - it seems to me that, we don't use a crypt. If we would do, a log would't be very risky.

Trac Customization: trac stylesheet
SourceForge.net Logo