Categories
View Replies (10)

Resolved Password stored in the clear

  1. xpozay
    xpozay
  2. RO CSVI
  3. Thursday, 21 April 2016
  4.  Subscribe via email
Two Issues

1) The FTP password is stored in the clear in the table csvi_templates for each template regardless if FTP is chosen as a destination.
2) Even if I do not use FTP as an option (in destination under source Tab), my cached ID & PW (cached from chrome), is captured and stored in the settings for the edited template. Thus an administrator could gain access to my personal ID / PW combination that I use elsewhere. Eg. Change destination to FTP and Download. Clear FTP and save (chrome cache / remember me must be active). I can get around this by changing the ID & PW in FTP to something silly. Then save. Then remove FTP as a destination. The ID & PW is still saved but the silly one.
0
Responses (10)
rolandd
rolandd
Accepted Answer Pending Moderation
Hello,

The FTP password is stored in the clear in the table csvi_templates for each template regardless if FTP is chosen as a destination.
FTP password is indeed stored in clear text, same way as it is stored in clear text in your Joomla configuration file. I do agree we should not store any user details if the option is not set.

(cached from chrome)
Not something I have noticed, perhaps my Chrome has no details to enter.

Thus an administrator could gain access to my personal ID / PW combination that I use elsewhere.
In terms of security, you should use a different user/pass everywhere. It's just a pesky "feature" that browsers auto-fill fields when we don't ask for it.

I will create a fix for this in the upcoming release.
Kind regards,

RolandD

=========================
If you use our extensions, please post a rating and a review at the Joomla! Extension Directory
  1. more than a month ago
  2. RO CSVI
  3. # 1
xpozay
xpozay
Accepted Answer Pending Moderation
Thanks.

While I do use different ID/PW combinations, still not nice for a work person who rightfully has access to configuration.php and thus the database to be able to see a person's personal ID/PW. Anyway, I have a workaround that I can live with until the fix is out.

Thanks again.
  1. more than a month ago
  2. RO CSVI
  3. # 2
rolandd
rolandd
Accepted Answer Pending Moderation
Hello,

As I said, I agree with you it shouldn't be stored if you are not using it. At the same time, who would think that browsers are so invasive. That certainly wasn't the case years ago when this feature was introduced.

Thank you for bringing this to my attention.
Kind regards,

RolandD

=========================
If you use our extensions, please post a rating and a review at the Joomla! Extension Directory
  1. more than a month ago
  2. RO CSVI
  3. # 3
rolandd
rolandd
Accepted Answer Pending Moderation
Hello,

Attached is a patch file that fixes this issue. Please load the patch file and verify the problem is fixed for you.

Let me know how it goes.
Attachments (1)
patch_ftpdetails_20160421.zip
Kind regards,

RolandD

=========================
If you use our extensions, please post a rating and a review at the Joomla! Extension Directory
  1. more than a month ago
  2. RO CSVI
  3. # 4
xpozay
xpozay
Accepted Answer Pending Moderation
Hi there,

Unfortunately, this has patch has not fixed the issue. The password is still stored in the clear.
  1. more than a month ago
  2. RO CSVI
  3. # 5
rolandd
rolandd
Accepted Answer Pending Moderation
Hello,

You are looking at something different than me. The patch is to resolve the storing of the credentials when not using FTP.
Kind regards,

RolandD

=========================
If you use our extensions, please post a rating and a review at the Joomla! Extension Directory
  1. more than a month ago
  2. RO CSVI
  3. # 6
xpozay
xpozay
Accepted Answer Pending Moderation
Not sure I follow then.
* If I delete the FTP destination option and say just have download, the FTP ID/PW is still stored in the template.settings
* The password is still in the clear.
  1. more than a month ago
  2. RO CSVI
  3. # 7
rolandd
rolandd
Accepted Answer Pending Moderation
Hello,

If I delete the FTP destination option and say just have download, the FTP ID/PW is still stored in the template.settings
That should have been resolved with the patch as it clears out the FTP ID/PW when the option isn't selected. I will have another look.

The password is still in the clear.
That I am still working on.
Kind regards,

RolandD

=========================
If you use our extensions, please post a rating and a review at the Joomla! Extension Directory
  1. more than a month ago
  2. RO CSVI
  3. # 8
rolandd
rolandd
Accepted Answer Pending Moderation
Hello,

There was a mistake in my patch, attached the revised patch.

As for the encryption, this has become a fundamental change in the code because the encrypted password cannot be stored the same way as other data is stored. As such it affects a large part of the codebase, this will be implemented in the next feature release.
Attachments (1)
patch_ftpdetails_20160422.zip
Kind regards,

RolandD

=========================
If you use our extensions, please post a rating and a review at the Joomla! Extension Directory
  1. more than a month ago
  2. RO CSVI
  3. # 9
xpozay
xpozay
Accepted Answer Pending Moderation
Excellent. I can confirm this is now working :)

Thanks again for your quick response.
  1. more than a month ago
  2. RO CSVI
  3. # 10
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!