[TYPO3-core] RFC #12430: Install Tool Password gets transmitted plain text
Ernesto Baschny [cron IT]
ernst at cron-it.de
Mon Nov 2 09:56:05 CET 2009
Hi Bernhard,
I like that feature! Haven't tested it, but I just noticed this change:
$this->typo3tempPath . '/' . $this->sessionPath,
md5(
'session:' .
- $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword']
+ $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']
)
Using the encryptionKey is not really possible for the session storage,
as there is not encryptionKey set once the 1-2-3 installer runs, so that
the session directory will change as soon as the encryptionKey changes
(thus logging the user "off").
Same goes for the sessionHash.
Cheers,
Ernesto
Bernhard Kraft schrieb:
> This is a SVN patch request.
>
> Type: feature
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=12430
>
> Branches:
> Trunk (after 4.3 is released ???)
>
> Problem:
> If you log into the Install Tool the password will get transmitted in
> plain text. This could cause problems in some situations.
>
>
> Solution:
> Perform a challenge/response password authentication like used for the
> BE-Login form. The current rewritten install-tool login, using a custom
> session management easily allows to add such a feature.
>
> See attached patch. It also features a nice error message if you tried
> a wrong password.
>
>
> Note:
> As this would be a new feature, I guess it should not get into trunk
> before 4.3 gets its own branch???
>
>
> greets,
> Bernhard
>
More information about the TYPO3-team-core
mailing list