Page 1 of 1
Feature Requests for CMSMS 2 Core
Posted: Mon Aug 13, 2007 3:24 pm
by SimonSchaufi
Login:
Before the password will be sent to the server, it could be crypted in md5 via javascript. that is what Typo3 is doing. Only if this is more secure
Re: Future Requests for CMSMS 2 Core
Posted: Mon Aug 13, 2007 4:36 pm
by tsw
I cant really see the benefit..
you can still sniff the md5 sum and use that.
Re: Future Requests for CMSMS 2 Core
Posted: Mon Aug 13, 2007 6:43 pm
by Pierre M.
What about a Javascript key logger ? It could sniff clear text passwords and post them on the web, newsgroups, IRC...
Have fun
Pierre M.
Re: Future Requests for CMSMS 2 Core
Posted: Mon Aug 13, 2007 8:56 pm
by SimonSchaufi
am i right that it was not a good idea?
Re: Future Requests for CMSMS 2 Core
Posted: Tue Aug 14, 2007 11:31 am
by Pierre M.
Hello again,
As I'm no security expert, I don't know for sure if your idea is good or not. I welcome your intention to secure the communication.
But as I guess from tsw's post, if you care about sniffing, MD5 isn't enough a win because it doesn't solve sniffing as SSL does. There are people
building MD5 dictionnaries to revert hash obfuscation.
Obfuscation is good but attackers know it is not security.
Pierre M.
Re: Feature Requests for CMSMS 2 Core
Posted: Wed Aug 15, 2007 7:12 am
by SimonSchaufi
ok, lets close this topic and start a new topic here in this thread or shall i create a new one?
a very big future request would be to check the user input in some fields like the UDT name (no "-" inside), creating a new user -> correct email address (pregmatch) and so on. there is no checking at all!
Another very important request is this: If a user can create new pages, but has no right to edit all pages, he shall only create new pages UNDER the page where he has access to and not to the root. At the moment after he creates a page it is in the main menu and he has no access to edit the main menu.