View Issue Details

IDProjectCategoryView StatusLast Update
09567Feature requests[All Projects] Securitypublic2017-11-03 11:32
ReporterlebergerAssigned ToDenisChenu 
PrioritynormalSeverityfeature 
Status closedResolutionreopened 
Product Version 
Target VersionFixed in Versiondevelop 
Summary09567: no salt used for password hashing.
DescriptionApparently, no salts are used for passwords.
It is obviously a security issue.
Additional InformationHint to solve this problem.

https://crackstation.net/hashing-security.htm

When implementing this, you can either force the users to reset their password (so that you have ONLY salted passwords), or keep the old password "retro compatible" (thus salt is an empty string). However, if you prefer the second option, we should encourage admins to force the reset of all passwords.
TagsNo tags attached.

Activities

DenisChenu

DenisChenu

2015-03-21 11:27

developer   ~31874

https://github.com/LimeSurvey/LimeSurvey/blob/master/application/core/plugins/Authdb/Authdb.php#L119

hash('sha256', $password)
DenisChenu

DenisChenu

2015-03-21 11:29

developer   ~31875

No salt rigth
DenisChenu

DenisChenu

2017-10-10 16:33

developer   ~44563

Maybe adding 2 salt and update it at each login. One current (empty at start for old user), one next. Compare password with crypted pasword ith current hash and save it with future hash after. Move futire to current and create a new one for future.
One CMS use this system (+ some javascript crypting function)
DenisChenu

DenisChenu

2017-10-21 17:36

developer   ~44778

https://github.com/LimeSurvey/LimeSurvey/pull/838
DenisChenu

DenisChenu

2017-10-31 15:02

developer   ~44912

Updated : https://github.com/LimeSurvey/LimeSurvey/pull/840
markusfluer

markusfluer

2017-11-01 13:35

developer   ~44919

Fix committed to develop branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=24369

Related Changesets

LimeSurvey: develop f5aa619f

2017-10-30 18:44:02

DenisChenu


Committer: markusfluer Details Diff
Fixed issue 09567: no salt used for password hashing.
Fixed issue : Unable to update user on User management
Fixed issue : unsave user params show as success
Dev: usage password_hash/password_verify
Dev: move all function to model (not to plugin (?))
Dev: don't find other one, but sill search for it
mod - application/commands/ResetPasswordCommand.php Diff File
mod - application/controllers/InstallerController.php Diff File
mod - application/controllers/admin/authentication.php Diff File
mod - application/controllers/admin/useraction.php Diff File
mod - application/core/UserIdentity.php Diff File
mod - application/core/plugins/Authdb/Authdb.php Diff File
mod - application/core/plugins/Authwebserver/Authwebserver.php Diff File
mod - application/models/User.php Diff File

Issue History

Date Modified Username Field Change
2015-03-17 12:35 leberger New Issue
2015-03-21 11:27 DenisChenu Note Added: 31874
2015-03-21 11:27 DenisChenu Status new => closed
2015-03-21 11:27 DenisChenu Assigned To => DenisChenu
2015-03-21 11:27 DenisChenu Resolution open => no change required
2015-03-21 11:27 DenisChenu Fixed in Version => 2.00+
2015-03-21 11:29 DenisChenu Assigned To DenisChenu =>
2015-03-21 11:29 DenisChenu Note Added: 31875
2015-03-21 11:29 DenisChenu Status closed => feedback
2015-03-21 11:29 DenisChenu Resolution no change required => reopened
2015-03-21 11:29 DenisChenu Status feedback => new
2017-10-10 16:33 DenisChenu Note Added: 44563
2017-10-21 17:33 DenisChenu Assigned To => DenisChenu
2017-10-21 17:33 DenisChenu Status new => assigned
2017-10-21 17:36 DenisChenu Note Added: 44778
2017-10-31 15:02 DenisChenu Note Added: 44912
2017-11-01 13:35 markusfluer Changeset attached => LimeSurvey develop f5aa619f
2017-11-01 13:35 markusfluer Note Added: 44919
2017-11-03 11:32 markusfluer Status assigned => closed
2017-11-03 11:32 markusfluer Fixed in Version 2.00+ => develop