[TYPO3-core] RFC #12430: Install Tool Password gets transmitted plain text

Ernesto Baschny [cron IT] ernst at cron-it.de
Mon Nov 2 10:40:23 CET 2009


Bernhard Kraft schrieb:

>> Using the encryptionKey is not really possible for the session storage,
>> as there is not encryptionKey set once the 1-2-3 installer runs, so that
>> the session directory will change as soon as the encryptionKey changes
>> (thus logging the user "off").
> 
> I know that. Before this change a User had to relogin when changing the password.
> Now he would have to relogin when changing the encryption key.

> The reason behind this:
> 
> If you try the patch, first try to login into the install tool with a wrong password.
> Now you'll see a nice "Wrong password" ->message() instead of the plain-text showing
> the md5 value of the password.
> 
> As now the neither the plain-text password nor its md5-sum gets transmitted, I can't
> show the md5 value to the user, so he can copy&paste it into the install tool. As most
> admins do not have an md5-calculator by hand, I fixed this problem, by adding a button
> "Get MD5". It will show the MD5 value of the password you have currently filled into
> the login-form of the install tool. You can then copy&paste this value to your localconf.php.
> 
> Now the problem is: the session is stored depending on the install tool password. So if
> you do the following steps:
> 1: fill in a password and press "Login"
> 2: get error message "wrong password"
> 3: fill in your wanted password and use the "Get MD5" button to get its md5 sum
> 4: copy&paste that value to localconf.php
> 5: directly press "Login" without reloading the install tool login form
> 6: get error message: "wrong password"
> 
> You wont expect the last step. Because you just logged in with the password, whose md5
> value you just copied into localconf.php. The reason for this is: The challenge value is
> also stored in the session. So if you change the install tool password, you'll loose the
> stored challenge value, and can not caluclate the correct response on the server.
> 
> It's quite hard to explain if you haven't tried the patch. I'll be availabl in IRC if
> you would like to discuss this.

Ah ok, now I see! And does the 1-2-3 installer still works after the
step where the encryptionKey is set? Have you tried it? Sorry, have
currently no time to test it, just writing my thoughts before they
vanish. :)

Cheers,
Ernesto


More information about the TYPO3-team-core mailing list