Login:

Before the password will be sent to the server, it could be crypted in md5 via javascript. that is what Typo3 is doing. Only if this is more secure

_________________
Top Forum Entries (en):
http://forum.cmsmadesimple.org/index.ph ... 450.0.html (Search Plugins for Firefox)
Top Forum Einträge (de):
http://forum.cmsmadesimple.org/index.ph ... 541.0.html (HowTo: CMSms Sicherheit ab Version 1.4.1)
http://forum.cmsmadesimple.org/index.ph ... 474.0.html (HowTo: CMSms-Tuning 1.x)
http://forum.cmsmadesimple.org/index.ph ... 465.0.html (Suchmaschinen Plugins für Firefox)

Delete unused lang files: http://forum.cmsmadesimple.org/index.ph ... l#msg65351 (own Script)

cmsmadesimple.org/api[doc]/ - the [old] API
-------
en: www.godlovestheworld.com • de: www.gottkennen.com - www.gottliebtsie.de

I cant really see the benefit..

you can still sniff the md5 sum and use that.

What about a Javascript key logger ? It could sniff clear text passwords and post them on the web, newsgroups, IRC...
Have fun
Pierre M.

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

am i right that it was not a good idea?

_________________
Top Forum Entries (en):
http://forum.cmsmadesimple.org/index.ph ... 450.0.html (Search Plugins for Firefox)
Top Forum Einträge (de):
http://forum.cmsmadesimple.org/index.ph ... 541.0.html (HowTo: CMSms Sicherheit ab Version 1.4.1)
http://forum.cmsmadesimple.org/index.ph ... 474.0.html (HowTo: CMSms-Tuning 1.x)
http://forum.cmsmadesimple.org/index.ph ... 465.0.html (Suchmaschinen Plugins für Firefox)

Delete unused lang files: http://forum.cmsmadesimple.org/index.ph ... l#msg65351 (own Script)

cmsmadesimple.org/api[doc]/ - the [old] API
-------
en: www.godlovestheworld.com • de: www.gottkennen.com - www.gottliebtsie.de

Hello again,

As I'm no security expert, I don't know for sure if your idea is good or not. I welcome your intention to secure the communication.

But as I guess from tsw's post, if you care about sniffing, MD5 isn't enough a win because it doesn't solve sniffing as SSL does. There are people building MD5 dictionnaries to revert hash obfuscation.

Obfuscation is good but attackers know it is not security.

Pierre M.

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

ok, lets close this topic and start a new topic here in this thread or shall i create a new one?

a very big future request would be to check the user input in some fields like the UDT name (no "-" inside), creating a new user -> correct email address (pregmatch) and so on. there is no checking at all!

Another very important request is this: If a user can create new pages, but has no right to edit all pages, he shall only create new pages UNDER the page where he has access to and not to the root. At the moment after he creates a page it is in the main menu and he has no access to edit the main menu.

_________________
Top Forum Entries (en):
http://forum.cmsmadesimple.org/index.ph ... 450.0.html (Search Plugins for Firefox)
Top Forum Einträge (de):
http://forum.cmsmadesimple.org/index.ph ... 541.0.html (HowTo: CMSms Sicherheit ab Version 1.4.1)
http://forum.cmsmadesimple.org/index.ph ... 474.0.html (HowTo: CMSms-Tuning 1.x)
http://forum.cmsmadesimple.org/index.ph ... 465.0.html (Suchmaschinen Plugins für Firefox)

Delete unused lang files: http://forum.cmsmadesimple.org/index.ph ... l#msg65351 (own Script)

cmsmadesimple.org/api[doc]/ - the [old] API
-------
en: www.godlovestheworld.com • de: www.gottkennen.com - www.gottliebtsie.de

CMSMS 2.0 sounds really promising. I especially like possibility of tying in an ORM.
Brute force protection for admin/login.php would be fantastic in CMSMS 2.0.