I'm concerned the security for quick.CMS is weak, and made even weaker by having plain text admin username and password in the /database/config/general.php file.
Shouldn't the system be using a SHA hash system to store this? Can we re-write scripts to do this, or do we need the development team to fix the core? (Store hash/ retreive hash)
Is there anything else to be done to properly secure this CMS?
treewood: those are some good overall security measures, but it really does not address the fact that the script stores the user and password as clear text in the config file. If the program stored it use SHA and checked it using SHA it would be a lot more secure and not really any more complex, would it??
(I could dig through the core code and try to apply this, but then an upgrade of the base CMS would over-write it.)
By hashing the password, it can not be found in clear text in the config file and just used. When the password phrased is provided again and hashed, a match is created.
based on work by clay at hungred.com and NOT tested by me:
return hash('sha512',$salt . $key . $phrase); } //END FUNCTION
//TO STORE PASSWORD--I chose to make the username the salt for the hash $username = $_POST['sLogin']; $password = $_POST['sPass']; $salt = $username; $hashed_password = HashMe($password, $salt); //save $hashed_password to $config['pass']
timatidg - ok but i dont see any reason to hash passwords. why it would be? if someone will get access to FTP then he/she will have access to whole page. hashing passwords in this situation will not solve problem.
tell me what will give hashing passwords? i see only problems. many peoples forget passwords and they need only to log to FTP and edit file to check their password. with hashing passwords we must do password reminder or reseting password on email etc. i dont think it is very important and i dont think that it will increase security on page.
