[TYPO3-dev] Services architecture
Steffen Ritter
info at rs-websystems.de
Thu Mar 24 10:48:59 CET 2011
Am 24.03.2011 09:29, schrieb Dmitry Dulepov:
> Hi!
>
> Christian Lerrahn (Cerebrum) wrote:
>> Now, I was rather puzzled (and to be honest a bit shocked) when I found
>> out that rsaauth calls the basic authentication services again instead
>> of just exiting to pass the decrypted password down the chain.
>
> You never know who is watching for the decrypted password. The safer way
> was to call the basic auth from the rsaauth. In that case clear text
> password only visible to those to whom it is necessary.
>
>> This gets even worse when saltedpasswords duplicates rsaauth code to
>> decrypt the password before it checks it against the stored password
>> hash.
>
> I never reviewed the code of that extension, so I cannot comment. Is it
> really a duplicate or it is a call to rsaauth?
>
I think this should officially be discussed and decided by the security
team.
As already pointed out I see no difference if you inject some code just
reading a variable, or calling some more lines and decrypting it with
rsaauth itself... As soon as you are able to execute php code it does
not matter, I think.
So please make this an official ticket at security team and Helmut
should post the decision you made here.
regards
Steffen
More information about the TYPO3-dev
mailing list