Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 12:51:04

Author Topic: Password being sent in clear text  (Read 5387 times)

0 Members and 1 Guest are viewing this topic.

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Password being sent in clear text
« on: 2014-04-22, 23:39:16 »
Mustafa: can you take a look at this as it could be a serious security problem:
when you access "SQL Manager" i see the request URL like  /thirdparty/phpMyAdmin/?pma_username=myusername&pma_password=mypassword

"mypassword" is being sent in clear text! I assume that's not the intention?

Kloxo-MR!

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Password being sent in clear text
« Reply #1 on: 2014-04-23, 02:23:52 »
Yes, it's no problem because only you see this url.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: Password being sent in clear text
« Reply #2 on: 2014-04-23, 04:19:23 »
Now that's funny.  Are you serious?  REALLY?

Yes that is a security concern!  Only way it is not is if you use https, as GET requests in the url are not sent until after the encryption starts.

I force all clients to use https for KloxoMR panel.
« Last Edit: 2014-04-23, 04:21:36 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: Password being sent in clear text
« Reply #3 on: 2014-04-23, 07:11:15 »
HI,
Mustafa: can you take a look at this as it could be a serious security problem:
when you access "SQL Manager" i see the request URL like  /thirdparty/phpMyAdmin/?pma_username=myusername&pma_password=mypassword
"mypassword" is being sent in clear text! I assume that's not the intention?

This problem is not new.

Thats not the intention, ofcourse. But, in Kloxo-MR, there exists a little closed world of Mustafa related to security, which he believes is valid and correct.

In 2008, I had a fight on the telefone with Ligesh, the creator of lxadmin and developer of Kloxo, when he blatantly refused to recognize my security concerns. Later he killed himself.

I have never used phpMyAdmin.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Password being sent in clear text
« Reply #4 on: 2014-04-23, 07:25:14 »
In Kloxo official, all button links in panel in javascript format (so it's impossible to right-click and then click 'open in new tab'). In Kloxo-MR, all button links change to plain url (make possible to right-click).

Both of them the same mechanism to login to phpmyadmin (as the same as with 'get' instead 'post').

In this context, no problem in Kloxo-MR panel side but how to make 'more secure' in phpmyadmin side. That it.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: Password being sent in clear text
« Reply #5 on: 2014-04-23, 10:03:07 »
In Kloxo official, all button links in panel in javascript format (so it's impossible to right-click and then click 'open in new tab'). In Kloxo-MR, all button links change to plain url (make possible to right-click).

Yes, thats true. But this problem existed in Kloxo as well since many years.

You changed it a bit to make it better, not in all areas.

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: Password being sent in clear text
« Reply #6 on: 2014-04-23, 10:05:30 »
I forgot.

How about using a totally different redirection method which may secure the transfer beyond the technology implemented now?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Password being sent in clear text
« Reply #7 on: 2014-04-23, 10:19:58 »
I will change to 'post' instead 'get' for external link (example for phpmyadmin login).

As we know, 'post' more hard to 'crack' rather than 'get'.

But, the problem is in phpmyadmin rather Kloxo-MR panel. If possible, better limiting phpmyadmin login with 'no permit from remote'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Password being sent in clear text
« Reply #8 on: 2014-04-23, 10:27:43 »
It looks like commit c0dc7e73f3a47223a3bc215072298cbcbe7d3bc5 changes this.  Waiting for RPM updates :)

Updated to 2014042202.mr and the problem is partially gone. Now i only see the password in clear text when i hover over "SQL Manager". Also, the password was in /usr/local/lxlabs/kloxo/log/hiawatha-access.log earlier and but after this update :)

Thank you Mustafa for taking immediate action to such security concerns.

Perhaps it time to say the following:
As i might have stated before, coming from cPanel/WHM, i was initially intrigued by Kloxo-MR for it's support for Nginx/proxy etc.
I gave it a try and i started to like it a lot since it's userfriendly and flexibility is huge, but at the same time at the cost of some simplicity offered by e.g cPanel.
Now i've invested a lot of time to learn and get things right and Mustafa is assisting very good so it's a good sign Kloxo-MR will have a good future.
 
One more thing i'd like to point out is that Kloxo-MR should strive to be PCI DSS compatible like cPanel/WHM hosters (of course there are other things that have to comply except the panel it self).

I urge everyone here to support this project by donating a small amount monthly. I've started, but after getting rid of cPanel,  i'll regularly support this project.
Again, thank you Mustafa for you great work.

« Last Edit: 2014-04-23, 10:37:48 by Mella »
Kloxo-MR!

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: Password being sent in clear text
« Reply #9 on: 2014-04-23, 10:52:02 »
Hi Mustafa,
I will change to 'post' instead 'get' for external link (example for phpmyadmin login).
As we know, 'post' more hard to 'crack' rather than 'get'.

Coming to anathor point, as a subset of this discussion.

Gone are those days when we needed non-secured connections. Many companies just uses https totally. Mustafa, why dont you just ABORT EVERY AREA THAT USES NON-SECURED CONNECTIONS?

There is really no reason to have 7778, etc. possibility. Everything _MUST_ GO THROUGH SSL. Now the default SSL is working properly. So just eradicate http://domain.tld/7778 completely.

I suggest to have an enhanced configuration of SSL Home which may give a very good overview of all SSL certificates used, or to be used, and assist an administrator to apply it.

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Password being sent in clear text
« Reply #10 on: 2014-04-23, 10:55:52 »
Good point which i was supposed to write, but forgot on my previous post.
Inspired by @chrisf's post, we should only permit customers to use SSL.

There is really no reason to have 7778, etc. possibility. Everything _MUST_ GO THROUGH SSL. Now the default SSL is working properly. So just eradicate http://domain.tld/7778 completely.
Kloxo-MR!

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix
Click Here

Page created in 0.076 seconds with 20 queries.

web stats analysis