[TYPO3-english] Typo3 hole leads to boom in hash cracking
Erik Svendsen
erik at linnearad.no
Mon Jun 1 11:23:53 CEST 2009
Vahan Amirbekyan skrev:
> VERY IMPORTANT:
>
> http://www.h-online.com/news/Typo3-hole-leads-to-boom-in-hash-cracking--/112644
>
>
> can salt be added to the algorithm?
This is old news, and has been patched long ago.
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/
As far as I know, salt kan not be added to the Install Tool hashed
password in localconf.php (I may be wrong). But the Install Tool should
never be accessible after the installation of the site.
For BE-users and FE-users it's possible to use salt, through a specific
extension.
http://typo3.org/extensions/repository/view/t3sec_saltedpw/current/
And salted MD5 password, RSA and OpenID will be part of Version 4.3
Best
Erik Svendsen
More information about the TYPO3-english
mailing list