Vbulletin developement team,

I was looking around in the tables because I need to give one of my sites access (read only) to our forum user table so that they can validate that someone is a member of our forum.

What I saw really makes me question your sence of security.

I saw every member's login password in the clear.

There is a MySQL function to encrypt the password, and you should be storing the encrypted password in the users cookie as well.

You should know that unix passwords are not stored unencrypted, why would you do this in the user table?

As a result, I will now have to write a wrapper function for them to validate this so that they do not have access to all the user passwords.

PASSWORDS SHOULD NEVER BE STORED IN THE CLEAR !

I would like you to give me a script to encrypt them all and send me updated php files that use the encrypted passwords for our forum. Please fix this ASAP.

Regards,
Steve

This is where I say something very bad, but I don't want to sound bitter, so I'll pass.

Passwords are stored as plaintext for a reason. Quite a few of our features would have to change very significantly to work with encrypted passwords, and it's not something that's easy to do.

While encrypted passwords are on our list for a future release (near future), that release won't be available for a few months as of yet. The best thing to do right now is to use one of the MD5 Encryption hacks available in the Hacks Forum.

In cookies the password is encrypted. The only place where passwords are not encrypted is the database...everywhere else they are encrypted with non-reversible encryption.

*geekish sneer*

Hmm, xbox comes from a company which also doesn't have "much" security...(nothing against you, Steve).

Although encrypted passwords are good for security, you also need to think where they are stored. Usually, you don't give open access to the mySQL-database. And as admin you should be reasonable enough to not missuse them.

Yes orca you are correct about allowing access.

However, one of the rules of security is that if someone is able to read some file, they should not be able to learn anything from that to lets them get into your system.

In this case: the admin or a moderator password would allow them to do that.

Nothing is fool proof, it's just a mater of how hard you make it for them to get too it.

Nothing is foolproof because fools are so ingenious ;)

- TommyBALL

Originally posted by XboxCenter.com
In this case: the admin or a moderator password would allow them to do that.If someone has access to your MySQL database without authorization you've got more problems than whether they can mess with your vB templates...

And, since administrative access has been mentioned, this is another reason why your administrative directory should be .htaccess protected.

You can easily gain access to the data stoerd in the DB with the unix 'strings' command.

We had a very long debate about this a couple months ago -- I suggest you try searching for that; it has comments from higher-ups which may answer your question.

Good point RobAC

Thanks for bringing that to my attention. I will protect the directory.

Just a side note:
I lost 31 of my sites over two weeks ago (on two other servers) before getting my RAQ. Someone hacked into the servers and delted all the sites on them.

Thanks MattR,

I have never used that command (that I remember). I will look up the thread. If it looks like a security risk, I will change permissions on it.

I don't allow telnet, but the unix commands can be accessed from perl also.

- Steve

meh

been done

*me stuffs a cream pie in XboxCenter.com's face* :D

Originally posted by tubedogg
If someone has access to your MySQL database without authorization you've got more problems than whether they can mess with your vB templates...
He-he. :D