Security Issue on Protected Galleries ...

Antonio Correia

Hello

I cleaned my cookies and tryed to access a protected gallery.

After I input the password fot this gallery several cookies were created (See attachment). Password is in plain text !! if you use one computer everybody will be able to see you gallery password. Even you gallery id is displayed.

To solve this problem: I would advise in creating a SESSION variable and encrypted, if you close your browser the session will expire automatically.

See http://php.net/manual/en/ref.session.php

ps - I changed the gallery password ...

Antonio Correia

http://www.dgrin.com/showthread.php?t=33527
The same problem

DodgeV83

I just confirmed this on my system too...a major oversight if you ask me. Session cookies don't fix the problem in my book, because I'd still like the password to be saved on the computer for my guests, JUST NOT IN PLAINTEXT! :wow

Cason

They just need to implement a stronger encryption algorithm "hashing". Easier said than done.

I'm sure the engineers will find a solution.

devbobo

RTP wrote:

They just need to implement a stronger encryption algorithm "hashing". Easier said than done.

I'm sure the engineers will find a solution.

umm hashing isn't encryption. Hashing is a one-way irreverisble function.

Andy

Antonio, we appreciate your post. Hang in there, we're listening.

Cason

devbobo wrote:

umm hashing isn't encryption. Hashing is a one-way irreverisble function.

So you are saying it is not the same?

You are encrypting the password with "one-way hashing". You type the password. It's hashed out into some garbage text and stored in the cookie. Then, the user comes back and types the password. That password is hashed out during the session and checked against the content stored in the cookie. If they match, then you are in.

Is that not encrypting the password?

devbobo

RTP wrote:

So you are saying it is not the same?

Yes I am saying they are not the same.

RTP wrote:

Is that not encrypting the password?

No, encrypting something implies there is a method to retrieve the original text from the encrypted text by the means of a key. Since, a hashing algorithm is a one-way function, you require the original text to verify the hash value, hence it's not encryption.

bwg

devbobo wrote:

No, encrypting something implies there is a method to retrieve the original text from the encrypted text by the means of a key.

or keys

devbobo

Typically, hashs are used for authentication or non-repudiation.

The example you mentioned above with hashing the password into a cookie is one such example.

Another example is digital signatures on email. The email message is hashed, and the hash value appended to the message. On opening the message, the recepient's email client hashs the message and compares it to the hash value attached to the email to determine if the message was modified in transit.

Cason

Got it.

Antonio Correia

It works fine now.
Nice work.
SmugMug has an added value.
Thank you.

onethumb

RTP wrote:

So you are saying it is not the same?

You are encrypting the password with "one-way hashing". You type the password. It's hashed out into some garbage text and stored in the cookie. Then, the user comes back and types the password. That password is hashed out during the session and checked against the content stored in the cookie. If they match, then you are in.

Is that not encrypting the password?

Not only is that not encrypting, it's also not enhancing security at all.

If someone can view your cookies, they can just copy the hashed string and it would act exactly the same as if they had typed the password.

Don

luke_church

onethumb wrote:

it's also not enhancing security at all.

Don,

As I'm sure you're more than well aware : :

The only advantage it gives you is if people re-use passwords for other purposes, they can't be [easily] extracted if the machine is compromised.

I agree that password resuse is not generally a good idea for 'shared access control' passwords, but I bet it happens.

Luke