Postnuke should include some protection against Man-In-the-Middle and port sniffer attacks. Currently, postnuke sends plaintext username and passwords making it all to easy for anyone with a port sniffer (like ettercap or ethereal) to see the username and password. (if you don't believe me, i can take some screenshots to show you)
My suggestion is:
postnuke should use javascript (when available) to encode the user name and pass word before sending. There is a javascript md5 library available at http://pajhome.org.uk/crypt/md5/index.html which was released under the BSD license.
For a live example, see http://login.yahoo.com
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 07:01 AM
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 06:41 AM
- ehdwma created topic »Hide "Register new account" and change template to 3 col« 06:27 AM
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 01:29 AM
- mdee created topic »How to implement returnpage ?« 01:00 AM
- nestormateo responded to »Fillters in Clip« 24. May
- damon responded to »Can the Updated Version Check be Turned Off (Z 1.3)« 24. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
Suggestion: Protection against MIM/port sniffer attacks
-
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 126
Posted: Apr 10, 2005 - 05:55 AM
-
**unknown user**
- Rank: Helper
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 877
Posted: Apr 10, 2005 - 01:18 PM
Man in the middle? I've had dreams about that ... -
**unknown user**
- Rank: Freshman
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 68
Posted: Apr 14, 2005 - 05:01 PM
thats not a bad idea ^_^ a small rewrite to the login system blam there u go ^_^
once i got the my new postnuke is up again I will give this a try ^_^ -
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 126
Posted: Apr 15, 2005 - 07:45 AM
for a good overview, examples, and the javascript library,
see http://pajhome.org.uk/crypt/md5/chaplogin.html
- Moderated by:
- Support
