Just realized that the v3.5 of phplist xfers the post data in plaintext. The user/passwd can easily be seen. Is this fixed in the newer versions… or in the production version??
Also, can anyone tell me what codebase this was based on… I’m assuming from looking over the logic of the code, that this was built in the early 2000’s and hasn’t really been rebuilt using more modern processes/ Am I correct in my guesses??
When a user types a password in an HTML <input type=password …> field it will normally be sent to the server as-is, i.e. without any hashing or salting. This is why this should never be done without HTTPS. But if you are using HTTPS with secure settings this should be OK. That’s what most web applications do.