8000 Security Risk: Plain Text Password · Issue #8790 · modxcms/revolution · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Security Risk: Plain Text Password #8790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
modxbot opened this issue Sep 28, 2012 · 2 comments
Closed

Security Risk: Plain Text Password #8790

modxbot opened this issue Sep 28, 2012 · 2 comments
Labels
area-security bug The issue in the code or project, which should be addressed.
Milestone
Revolution-2.2.5-pl

Comments

@modxbot
Copy link
Contributor
modxbot commented Sep 28, 2012

scott_karana created Redmine issue ID 8790

Yes, I'm aware of Bug #7278, where this was closed already.
I completely understand showing the user their password, but the fact that it comes out of the blue should be unacceptable if the user is security-conscious.

For example, if I've gone into User>Profile>Reset Password, there is no indication that my new administrator password is going to be echoed back in the plain.
In fact, the use of fields makes it completely deceptive.
Imagine my surprise!

A simple warning div near the password fields would resolve this without changing any design choices, unlike in the previously cited bug #7278.
Text could presumably be something along the lines of "Note: your password will be shown to you for confirmation when you press Save".

I can try to take the time to throw together an ugly patch if nobody is interested but I'm really not much of a coder.
@modxbot
Copy link
Contributor Author
modxbot commented Sep 28, 2012

Eiventeleiron submitted:

Pull request fixing the bug: #394

@opengeek
Copy link
Member

opengeek submitted:

Merged and slightly modified the pull request to add the option not to reveal the password on screen. Will be in 2.2.5-pl.

enigmatic-user pushed a commit to enigmatic-user/revolution that referenced this issue Feb 13, 2014
[modxcms#8790] adding a possibility to hide the new password after ch…
1fe05da 
…anging via profile reset.
enigmatic-user pushed a commit to enigmatic-user/revolution that referenced this issue Feb 13, 2014
@opengeek
[modxcms#8790] Add ability to hide changed password in Update Profile
1536334 
Merge remote-tracking branch 'Evengard/rel22bug8790' into bug-8790

* Evengard/rel22bug8790:
  [modxcms#8790] adding a possibility to hide the new password after changing via profile reset.
enigmatic-user pushed a commit to enigmatic-user/revolution that referenced this issue Feb 13, 2014
@opengeek
MODX Revolution 2.2.5-pl
8608c05 
Merge branch 'release-2.2'

* release-2.2: (130 commits)
  Bump version for 2.2.5-pl
  [modxcms#8753] fixing that trivial variable error.
  French translation update
  [modxcms#8196] Changed event type for fieldChangeEvent for combo boxes
  [modxcms#8186] Adding FC rules checking based on reloadData.
  [modxcms#8790] adding a possibility to hide the new password after changing via profile reset.
  [modxcms#7631] add changelog entry
  Fix duplicate beforeSave() in modProcessorObjectCreate
  Italian translation for Revo 2.2.5
  [modxcms#7551] adding an additional check so that the destination static file can't be an existing directory
  Czech translation update
  Correction in setting lexicon
  [modxcms#7654] Fix Update processor for ResourceGroup-restricted TVs
  Preserve backwards compatibility(add 'object' key) after objectType fix
  Last changes in the German translation for Revo 2.2.5
  [modxcms#8767] add changelog entry
  Possible fix for bug [modxcms#4430]
  [modxcms#8767] possible bug fix
  [modxcms#8545] add changelog entry
  [modxcms#8089] add changelog entry
  ...
@krismas krismas mentioned this issue Jun 8, 2014
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-security bug The issue in the code or project, which should be addressed.
Projects
None yet
Milestone
Revolution-2.2.5-pl
Development

No branches or pull requests
2 participants
@opengeek @modxbot
0