back to phpList.org

Login form - post data in plaintext


#1

Hi.

Just realized that the v3.5 of phplist xfers the post data in plaintext. The user/passwd can easily be seen. Is this fixed in the newer versions… or in the production version??

Also, can anyone tell me what codebase this was based on… I’m assuming from looking over the logic of the code, that this was built in the early 2000’s and hasn’t really been rebuilt using more modern processes/ Am I correct in my guesses??

thanks


#2

@xheni May know about the plain text issue


#3

When a user types a password in an HTML <input type=password …> field it will normally be sent to the server as-is, i.e. without any hashing or salting. This is why this should never be done without HTTPS. But if you are using HTTPS with secure settings this should be OK. That’s what most web applications do.


#4

and if a user doesn’t have the web server set to do “secure” transactions… then the default is to http… and you get text…

for my $0.02… an app should “encrypt/decrypt” all data across the pipe.


#5

well, there is a reason why HTTPS exists :wink: