English French German Spanish Russian
To Fix : login service flaw - TECHNICAL SUPPORT / WEB APPs BUGS - Ryzom Community ForumHomeGuest



#1 Report | Quote[en] 

Password comparison is not being carried as an exact match in the login process, which could lead to security issues. This happens both in web services and client application.

Please fix the code for comparing the password provided in the login process and the one stored in database.


#2 Report | Quote[en] 

And please add *any* form of security to it. https...?


#3 Report | Quote[en] 

Madre?  That's a strong statement to make without examples. (I wouldn't suggest posting examples here, for obvious reasons.)  However, I hope that you sent an email to support with *details*.

Arc -- agreed.


Remembering Tyneetryk
Phaedreas Tears - 15 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>

#4 Report | Quote[en] 

Yeah. Security issues should be reported in private, not in public like I did here. But I decided to do it in public because I have my doubts about it being seriously taken unless done this way. This bug is probably as old as time and common knowledge among many users.

Severity is not high since most of password strength is retained. It would make password cracking easier though. Not an expert level thing, just a noobish implementation. It should be very easy to spot and fix after a quick look to code.
Last visit Sun Aug 18 09:02:32 2019 UTC

powered by ryzom-api