Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

Security Issues with mailing list and forum

General discussions here

Moderator: alorbach

Google Ads


Security Issues with mailing list and forum

Postby lethalduck » Wed Jan 21, 2015 6:19 am

Hi.

Not sure if this is the correct place to post this, but I didn't see any other areas that looked any more suitable.

Insecure password storage in mailing list
See the attached rsyslogMailingList.png for what I'm referring to. Passwords should never be emailed in clear text. Apart from the obvious that everyone on the internet can see it, passwords should be one way encrypted (unable to be reversed). If they are not, you're doing something quite dodgy and this really needs to be fixed. If your database is compromised, so are all the passwords. I don't think we want that happening. I definitely don't.
Now when I eventually am able to sign up to the forum, I receive an email that states:
"Your password has been securely stored in our database and cannot be
retrieved. In the event that it is forgotten, you will be able to reset it
using the email address associated with your account."
This is what I'd expect from the mailing list as well. "Cannot be retrieved"

Limiting password size
This is a clear indicator that passwords are being handled incorrectly. There should never be a limit on maximum password length. If there is, the encryption is being done wrong if at all. I'd really like to see this fixed for new members. Please refer to the image rsyslogMailingList.png I've attached for details.

Usability issue
When a user attempts to sign up to the forum, they receive a miss-leading error message: "You have incorrectly sorted the items to the correct list of the confirmation question." In the context of the signup page (which is where this message is presented) this could be really confusing because:
A) What items
B) There doesn't appear anything to sort
C) There doesn't appear to be any list
D) There doesn't appear to be any confirmation question
Please see attached rsyslogForumMissleadingErrorMessage.png for error in question.
Attachments
rsyslogForumMissleadingErrorMessage.png
rsyslogForumMissleadingErrorMessage.png (125.67 KiB) Viewed 12881 times
rsyslogForum.png
rsyslogForum.png (114.14 KiB) Viewed 12881 times
rsyslogMailingList.png
rsyslogMailingList.png (123.42 KiB) Viewed 12881 times
lethalduck
Avarage
 
Posts: 10
Joined: Wed Jan 21, 2015 5:57 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Security Issues with mailing list and forum

Postby alorbach » Wed Mar 11, 2015 8:17 am

Hi,

I think these issues should be addressed by the developers who wrote phpbb3 and mailman.

best regards,
Andre
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Google Ads



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron