stats program? Basically this url is used to log a user into SMF however it is something that does not get logged to browser history and should never be seen by the user.
The URL will indeed be logged in the browser's history, because at some point, the browser is directed to that URL, whether directly (by clicking on something) or indirectly (being redirected there from another page). Server-side stats programs such as AWStats will also log the URL since the user visited that URL.
Passing the un-hashed password via the query string is extremely insecure - especially on public computers. This is a serious flaw that needs to be addressed. We have already made the decision to warn our users about this, and we would appreciate it if you addressed this.
« Last Edit: February 18, 2007, 11:00:34 PM by Oldiesmann »
Thanks for your post. Please do not alarm my users by false claims. I have tested this in all major browsers(IE, Firefox, Opera) and the URL does not get logged to the browser history if the bridge is properly configured. Unless you have tested this I don't appreciate the unfounded implication. Although this code is not mine, it has been in the bridge since inception. That does not excuse it however I debate that point and do not wish to alarm the users of this bridge without cause.
Serverside stats may indeed log the url, however this was the first report of such.
I have attempted to refactor this code in the past and received very few responses and none from the dev team. (see this topic). Any help you can provide beyond your initial post would be very much appreciated.
In fact, it is a component for the back end, in theory, only the admin has access to all stats, but i think that not even the admin should see the passwords of visitors. But like i said before, it only gets logged in the JoomStats if the login was from the forum and not the JSMF. I dont know why this happens, if i discover something else ill keep in touch.
Are you still having problems with the Login2 function? I wasn't aware of that post.
If you have to pass the password through the URL, you should pass the encrypted password and set hash_passwrd to "1". The code we use to hash passwords is as follows:
Code:
sha1(strtolower({membername}) . {password});
{membername} = the username {password} = the password
Are you still having problems with the Login2 function? I wasn't aware of that post.
If you have to pass the password through the URL, you should pass the encrypted password and set hash_passwrd to "1". The code we use to hash passwords is as follows:
Code:
sha1(strtolower({membername}) . {password});
{membername} = the username {password} = the password
Hey, thx for the reply, but, i dont understand where to change those settings for the password being encrypted.
And just one thing: the password never is showed through URL in the browser, but it gets logged into JoomlaStats when i login from the SMF forum and NOT when i login from the brigge.
I was able to get the Login2() to work correctly for Joomla 1.5 however there are a few problems that still remain. It does not login in Joomla so I'm more than halfway to resolving this for good.
Joomla Hacks is a Joomla Components, Joomla Modules, Joomla Templates, & Joomla Mambots resource portal. None of the text or images in this public website may be copied without the expressed written consent of the authors. Copyright 2005 by JoomlaHacks.com. Powered by Joomla. All rights reserved. Terms of Use
Author
Forum
Logged
. I hope its not.
