[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dolibarr-dev] Vulnerabilities
|
From: |
Philip Lehmann-Böhm |
|
Subject: |
Re: [Dolibarr-dev] Vulnerabilities |
|
Date: |
Sun, 03 Nov 2013 16:39:38 +0100 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 |
Hi,
(sorry, I don't know how to reply directly to the existing thread:
http://lists.nongnu.org/archive/html/dolibarr-dev/2013-10/msg00003.html )
This just blew my mind a bit. In this topic, especialy the denial of
starting to use parametrized queries.
And that the password is stored in plain text in the database is a no go.
And the statement, that everything of the quoted website has been fixed
is not true. I run a freshly installed Dolibarr 3.4.1 and the passwords
are indeed available in plain text!
I'm willing to help here and this is what I propose:
- Are there plans to drop the plain password column? Has this already
happened in the next version? This goes to much in the core of Dolibarr,
so I won't be able to patch this in a meaningful timespan.
- Not using prepared statements is a no go as well. I'd add support for
them in the mysql.class.php (not familiar with the others) with a
function like this:
function parametrizedQuery($query, $params, $usesavepoint=0,$type='auto')
And then start to port the code to use it step by step and making some
pull requests.
What do you think? Would this be a way to go?
Best Regards
Philip
- Re: [Dolibarr-dev] Vulnerabilities,
Philip Lehmann-Böhm <=