Password Shows during New Install of 1.4.1 Password Shows during New Install of 1.4.1
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Password Shows during New Install of 1.4.1

Started by trmentry, October 08, 2005, 12:47:08 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

trmentry

Hello,

I just downloaded 1.4.1 to give it a try.  The same image in multiple albums has great appeal. :)

Anyway, one thing I noticed is that when running the install.php shows the password for the administrator in the 'clear'.  Its not stared out.  ie:  *******

Also I think it would be benefical to have 2 password fields, 1 for the password and 1 to verify.  And of course, star'ed out. 

I'm running on my own custom server:
Gentoo 2005.1
Apache 2
GD is installed and I'm currently emerging ImageMagick
PHP 4.4.0
MySQL 4.0.25
Standalone Version

I'll finish the install once I get Imagemagick compiled. 

Thanks


artistsinhawaii

Have you downloaded all of the latest updates from CVS? Do a version check from Admin Tools.

Mine doesn't show the password but rather black dots in it's place.

Insofar as adding a second verification password field, that would have to be submitted in the  feature request board.  There is freeze on  new features for 1.4x.

Dennis
Learn and live ... In January of 2011, after a botched stent attempt, the doctors told me I needed a multiple bypass surgery or I could die.  I told them I needed new doctors.

Nibbler

The installer doesn't mask the password, it never has. I wouldn't consider it a bug though.

trmentry

Thanks for the info Nibbler.  Its been a long time since I did a fresh install of CPG.  My 1.3x install is running nicely and didn't remember if the password was masked or not when I first installed it.


Joachim Müller

All of the info entered into the installer is highly-sensitive: the mySQL data is much more important than the coppermine admin password imo. The installer shouldn't be executed on an untrusted machine at all (e.g. an internet café). There's always the possibility of a man-in-the-middle attack though, but then again it won't help to make the input fields display only asterisks instead of the plain text, as the data currently will be sent unencrypted anyway. To actually make this process more secure, the whole installer would have to be re-coded from scratch, which is not an option for cpg1.4.x (we have a feature freeze, remember). Imo this is not a bug, but a missing feature, so I'm moving this thread from "CPG 1.4 Testing/Bugs" to approved feature requests.
The installer has been on my personal list of stuff that needs improvement anyway, so as this thread now exists, let's summarize what I would like changed:
  • wizard-like interface: there are too many fields that need to be filled out in just one step, which makes the installer hard to use for newbies. That's why I would like to have an installer that leads the user though all the data step by step
  • internationalization needed: the installer should be able to come in many languages, with the default language being the one the user's browser is set to (if this language exists)
  • There should be checks in the installer if albums and include folder are writable (not using is_writable, but instead actually write dummy files and delete them again).
  • There should be checks for the image library the user has chosen (valid IM path)
  • There should be checks if the mySQL data is correct. All needed mySQL commands should be checked (is the mySQL user actually capable to execute a "create table" query etc.?)
  • The form fields for all sensitive data could be done using some JavaScript code that reads the input client-sided, encrypts it (client sided) and puts the encrypted stuff into hidden fields that finally get sent, while the original input fields get cleared on submit
Joachim