-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
password could get inserted as plaintext when adding a user #425
Comments
NEVER compare strings with Write your server configuration. Also, need more informiation. Is this problem repeatable? |
phpinfo() enough (attached)? What else do you want to know about the server? It is a virtual one via KVM. From the Serverlog; how the process with the biggest amount of RAM was killed (clamd / clamAV): Aug 24 16:01:08 server kernel: [4368128.572765] Out of memory: Kill process 364 (clamd) score 273 or sacrifice child Seems to be a normal behaviour on Linux to kill the process with the highest RAM usage. We came up on to this, when we saw this SMTP error, because a customer did not get his mail with login-information from phpAuth. SMTP Error: data not accepted.SMTP server error: DATA END command failed Detail: Service unavailable - try again later The mail-service was also killed / did not have enough RAM to operate correctly. Because the PHPAuth user was stored in the database already and the mail was not send, we checked the server log and also the user itself in phpauth_users. Because the customer knew its password, i was confused when i saw it plain in the db... I did not try to reproduce this problem yet - but it happened. |
I'll think about your problem. I'll implement this in V2 PHPAuth... later. Thank you. |
@KarelWintersky V2? |
Okay - i found out, that the inserted plain-text password was inserted by myself via updateUser() and i forgot to hash the password in a very rare case...... Because of this, i would also suggest to implement a check in updateUser(), if params contains password:
|
@Conver , yeah. Fluent config, more exceptions etc. |
@KarelWintersky interesting,let me know if you need help. |
@louis123562 - I can add this next week 👍 |
@Conver , I really need more hours in a day. ;-) |
Hey,
i think there is a missing check on the "hashed" password in function 'addUser()', if the password is really hashed.
On my server, there was not enough RAM available for executing another process (in this case - i guess - hashing the pw), somehow the password of the new user was stored in plain-text in phpauth_users. I was lucky and mentioned it very fast...
At least there should be something like
What do you think? That my server had not enough memory was my fault for sure, but is a case that could happen.
The text was updated successfully, but these errors were encountered: