Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002727Piwigosecuritypublic2012.08.21 15:552012.11.02 15:39
Reporterkubrick 
Assigned Toplg 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusclosedResolutionfixed 
PlatformAllOSOS Version
Product Version2.4.3 
Target Version2.5.0beta2Fixed in Version2.5.0beta2 
Summary0002727: Piwigo stores unsalted passwords
DescriptionBy default Piwigo just stores a MD5 hash of passwords in the database.

One has to manually change the $conf['pass_convert'] function to salt the password database.

A nice feature would be to have a salt field on the install page with a pre-filled random salt grain in it.
TagsNo tags attached.
browserany
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Files

- Relationships

-  Notes
(0006718)
svn (reporter)
2012.11.02 14:59

[Subversion] r18889 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
feature 2727: improve password security with the use of PasswordHash class.
This class performs salt and multiple iterations. Already used in Wordpress,
Drupal, phpBB and many other web applications.

$conf['pass_convert'] is replaced by $conf['password_hash'] + $conf['password_verify']
(0006719)
svn (reporter)
2012.11.02 15:39

[Subversion] r18890 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
feature 2727: improved backward compatibility with ['pass_convert']

- Issue History
Date Modified Username Field Change
2012.08.21 15:55 kubrick New Issue
2012.08.21 15:55 kubrick browser => any
2012.08.21 15:55 kubrick Web server => Apache 1.3.x
2012.11.02 14:50 plg Assigned To => plg
2012.11.02 14:50 plg Status new => assigned
2012.11.02 14:50 plg Target Version => 2.5.0beta2
2012.11.02 14:50 plg Summary Piwigo stores unsalted passwords. => Piwigo stores unsalted passwords
2012.11.02 14:59 svn Checkin
2012.11.02 14:59 svn Note Added: 0006718
2012.11.02 15:12 plg Status assigned => closed
2012.11.02 15:12 plg Resolution open => fixed
2012.11.02 15:12 plg Fixed in Version => 2.5.0beta2
2012.11.02 15:39 svn Checkin
2012.11.02 15:39 svn Note Added: 0006719


Copyright © 2000 - 2019 MantisBT Team
Contact
Powered by Mantis Bugtracker