Hey
I think this may be considered a security weakness:
The AdminCP Login page sends the login data unencrypted to the server. For SSL users this is not a problem but for the most of us it's a relative dangerous risk to take.
Most of us use WiFi connections at home. WiFi connections can be easily lurked with tools like aircrack-ng and analyzed with network protocol analyzers like wireshark. If our browser's sending sensitive post data unencrypted over the air, this data can be easily intercepted and read.
A simple way to fix this is to salt and md5 the password (using js) before sending it to the server.
Regards
There is nothing MyBB could do to prevent man in the middle attacks. JavaScript is not a solution, if your client can produce the hash, then the attacker can do it too. There would be no need for https if security could be achieved that easily. If you need that kind of security, use the solutions that are already there - get a proper SSL certificate and force everyone to use HTTPS for everything, not just Admin CP, since it's one and the same user login for all.
a proper password, salted and hashed will be the hell of a hard task for someone to reverse.
(2010-02-23, 08:29 PM)Shadow Player Wrote: [ -> ]Most of us use WiFi connections at home. WiFi connections can be easily lurked with tools like aircrack-ng and analyzed with network protocol analyzers like wireshark. If our browser's sending sensitive post data unencrypted over the air, this data can be easily intercepted and read.
You shouldn't be sending sensitive data over a public or unsecured connection in the first place, really.
we're not talking about a public nor unsecured access... a WEP/WPA authentication on your router doesn't prevent someone to monitor your wireless transactions.
I've done it. And the js salt+hashing is a common practice for login forms that don't count on an SSL certificate. And it works.
(2010-02-23, 11:10 PM)Shadow Player Wrote: [ -> ]we're not talking about a public nor unsecured access... a WEP/WPA authentication on your router doesn't prevent someone to monitor your wireless transactions.
I've done it. And the js salt+hashing is a common practice for login forms that don't count on an SSL certificate. And it works.
Disable JS and tell me what happens.
Honestly, JS has to be the shittiest method of securing anything.
Using JS to implement security is the worst thing to do.
There is no such weakness in the ACP. Preventing middle-man attacks are the responsibility of your router and the encryption technology you use and the strength of the key.