Forum : ImpressCMS

Fork me on GitHub


Subject:*
Name/Email:*
Message Icon:*
Message:*	SAMPLE [quote] Vaughan wrote: the new password branch in svn uses 2 salts to hash the password with and then the final password +2salts is hashed using sha256. it's basicly (broken down) [code] $pass_plain = 'plaintext_password'; $pass_salt = $userSalt.md5($pass_plain).$mainSalt; $final_hash = sha256($pass_salt); [/code] that's a very basic description. each of the salts is 64 characters long they are added to the pass_plain which is md5 before adding the salts. then sha256 the result. basicly sha256 is now hashing a 160 character password. i don't think that can easily be bruteforced or decrypted. lol[/quote] [more...]
Options:*	Enable html tags Enable Smiley Enable BB Code

Re: we need to integrate new password algorhythm ASAP

by skenow on 2008/3/13 19:51:19

Another place to look at for username/password security is banners.php - it has separate functions for clients and client logins that get stored in another table.

Re: we need to integrate new password algorhythm ASAP

by Vaughan on 2008/3/12 14:36:19

Thanks Giba, I'm glad the translation was ok :)

as for your concerns about cleaning output & input, If my concept works with the html purifier branch, then i'm pretty sure that will be a huge benefit to the security of icms.

At the moment i have ideas and thoughts in my head and i can see an end result of what I want to achieve, but i am having a hard time getting those thoughts out of my head and into written word so that I can give everyone a picture.

I will try to write a blog this weekend and get my thoughts on screen in a clear & understandable manner in order for translations to be more accurate so that you can understand better..

Re: we need to integrate new password algorhythm ASAP

by GibaPhp on 2008/3/12 14:16:30

Very, very thanks Vaughan.

Even using the translator I could fully understand their words. I think you did a great job of writing this message.

I fully agree with you on all terms, especially when you tried to warn the origin of the problem of security.

On the question of 'sha256' native in php5, really, you are right too.

I am sure that your value to the team, if it continues impresscms is specializing in security will be of great value and their recognition will be immense for the whole community. We know that a person of this responsibility in charge of a sector very critical and we all know this.

Now remain very concerned about the issue when we already have something recorded in the database and exit via consultation could prove comprometedores data and also allows the server to expose new codes malíciosos with no currently fails.

The issue of protecting the output is quite preocupando me because we could not solve the problem and also because this code is constantly destroying our database.

Anyway, thank you for service to community and I know give value to an information of this nature. I am also studying a lot to not schedule wrong, but I agree that a tool of verification is important and vital.

Re: we need to integrate new password algorhythm ASAP

by Vaughan on 2008/3/12 9:02:51

i agree Giba, although myself and wishcraft got off to a bad start, we are both now amicable towards each other, we both over reacted, me so because when trying to help someone I was deemed a bad person simply because of who I am and my relationship to ICMS.

However I hope that this history can be cleared up.

As i have just proved, security issue aside. When people collaborate & help each other, everything moves more fluently aswell as calmly.

Security has to be a high priority. Up until yesterday I had never attempted or even knew how to properly inject SQL into a url. But since starting with ImpressCMS, I have done some reading, and it seems that my reading is paying off slowly.

You can't properly secure something unless you understand how SQL injection works and XSS, this is what I am currently learning in my own time. and yes I also agree it is far better when someone who hacks your site, tells you exactly how they did it, a demonstration shouldn't be needed, but it is more helpful to know why that exploit works, once you know the why's, it is far easier to protect from it. But saying that, it can be difficult to spot a vulnerability by looking at code, so essentially, we need tools to help aswell. a cracker/hacker is a great tool because it's a real person who you can talk with (providing they are willing to offer assistance).

and assistance I will also give to Wishcraft should he require any. afterall, it's the users who suffer most when these kinds of exploits get attention from the wrong people & ICMS, XOOPS, XC, Joomla etc are nothing without their users.

@giba: the new password algorhythm uses the PHP 5 native hash('sha256', $password); function.

but there's a fallback standalone script if php5 hash function is not detected, as will be the case for PHP 4 users. so both PHP4 & 5 users will not have any problems.

Re: we need to integrate new password algorhythm ASAP

by davidl2 on 2008/3/12 2:38:32

Total agreement with you!

ImpressCMS is a multi-language content management system for the web. It is community-built, an open source project and based on the common web technologies of PHP and MySQL.

Useful Links

More information

Find us on Social Media