FS#146 : Upload script has no authentication mechanism.

OSCommerce Product Manager for Windows

FS#146 - Upload script has no authentication mechanism.

Attached to Project: OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Monday, 17 January 2005, 22:42 GMT
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Tuesday, 18 January 2005, 14:05 GMT

Task Type	Bug Report
Category	Backend / Core
Status	Closed
Assigned To	Mario A. Valdez-Ramirez (mvaldez)
Operating System	All
Severity	Very Low
Priority	Immediate
Reported Version	any
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

The upload script does not have any authentication mechanism active. The password is passed but no password is checked.

Originally the idea was to check if there was already a password set. If there was not, one was created.

That's not very complex but now I think we should use a simpler mechanism. Let's retrieve the hashing of the database for the admin account (or something similar) and then let the oscpmwin application send a hash of the user-provided password.

That way, no password is ever sent on line, only the hashings.

Pending to check.

This task depends upon

Closed by Mario A. Valdez-Ramirez (mvaldez)
Tuesday, 18 January 2005, 14:05 GMT
Reason for closing:

Comments (1)
Related Tasks (0/0)

Comment by Mario A. Valdez-Ramirez (mvaldez) - Tuesday, 18 January 2005, 14:05 GMT

Fixed.

Now the upload password is always the database password. Now the application sends a timestamp string and the hash of the database password salted with the timestamp. This allow authentication without the need to have another password, there is no need to read the OSCommerce database to read/write that password, and the password is never sent as clear-text to the PHP upload script.

Closed.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

OSCommerce Product Manager

FS#146 - Upload script has no authentication mechanism.

Details

Loading...