Bug#614304: dtc-common: does store user passwords unhashed in the database

Hi, Thomas Goirand tho...@goirand.fr writes: On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: I noticed you prepared a patch[1] using MySQL's PASSWORD() function. Please note that this function should *not* be used by applications besides MySQL itself[2] in addition to not salting the hash.

Bug#614304: [dtcdev] Re: Bug#614304: dtc-common: does store user passwords unhashed in the database

On 04/08/2011 09:49 PM, Thomas Goirand wrote: On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: Hi Thomas, I noticed you prepared a patch[1] using MySQL's PASSWORD() function. Please note that this function should *not* be used by applications besides MySQL itself[2] in addition to not salting

Bug#614304: dtc-common: does store user passwords unhashed in the database

On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: Hi Thomas, I noticed you prepared a patch[1] using MySQL's PASSWORD() function. Please note that this function should *not* be used by applications besides MySQL itself[2] in addition to not salting the hash. The crypt function included in

Bug#614304: dtc-common: does store user passwords unhashed in the database

Hi Thomas, I noticed you prepared a patch[1] using MySQL's PASSWORD() function. Please note that this function should *not* be used by applications besides MySQL itself[2] in addition to not salting the hash. The crypt function included in PHP itself[3] with salting and a modern hash like

Bug#614304: dtc-common: does store user passwords unhashed in the database

On 02/21/2011 06:07 AM, Ansgar Burchardt wrote: Package: dtc-common Version: 0.29.17-1 Severity: grave Tags: upstream security dtc stores user passwords unencrypted in the database: $q = INSERT INTO $pro_mysql_new_admin_table (reqadm_login, reqadm_pass, [...]

Bug#614304: dtc-common: does store user passwords unhashed in the database

Thomas Goirand tho...@goirand.fr writes: On 02/21/2011 06:07 AM, Ansgar Burchardt wrote: dtc stores user passwords unencrypted in the database: $q = INSERT INTO $pro_mysql_new_admin_table (reqadm_login, reqadm_pass, [...] VALUES('.$_REQUEST[reqadm_login].',

Bug#614304: dtc-common: does store user passwords unhashed in the database

- Original message - Yes.  He could have gained read-only access or just access to an offline copy (for example a backup copy).  Also many people reuse passwords (yes, it's a bad idea, but people do), so this would allow compromise of further systems. Sure, you could and it would

Bug#614304: dtc-common: does store user passwords unhashed in the database

severity 614304 critical tags 614304 + security thanks Thomas Goirand tho...@goirand.fr writes: Yes.  He could have gained read-only access or just access to an offline copy (for example a backup copy).  Also many people reuse passwords (yes, it's a bad idea, but people do), so this would

Bug#614304: dtc-common: does store user passwords unhashed in the database

Package: dtc-common Version: 0.29.17-1 Severity: grave Tags: upstream security dtc stores user passwords unencrypted in the database: $q = INSERT INTO $pro_mysql_new_admin_table (reqadm_login, reqadm_pass, [...] VALUES('.$_REQUEST[reqadm_login].', '.$_REQUEST[reqadm_pass].', (from