[WONTFIX] Passing Variables

Support and feedback for NetherPanel
AKA java UniUploader

[WONTFIX] Passing Variables

Postby carlpalmer » Wed Apr 11, 2007 10:37 pm

Ok I am playing with this, and I have a problem with the way that variables are passed. I have it set up so that everyone uses the username and password for the roster, so that they can update the guild roster whenever they connect. The problem is that the password is shown in clear text on the config page.

All anyone has to do is install this, and they have complete unmitigated access to the administration of my Roster site. I think this is a bad idea.
Last edited by carlpalmer on Sun Apr 15, 2007 5:23 pm, edited 1 time in total.
A computer is like an Old Testament god, with a lot of rules and no mercy.

Image
Image
User avatar
carlpalmer
WR.net Apprentice
WR.net Apprentice
 
Posts: 24
Joined: Fri Jul 21, 2006 4:27 am

Passing Variables

Postby robojerk » Wed Apr 11, 2007 11:59 pm

carlpalmer wrote:I have it set up so that everyone uses the username and password for the roster...

All anyone has to do is install this, and they have complete unmitigated access to the administration of my Roster site. I think this is a bad idea.


Maybe some future version of WoWRoster will support multi users with different access. For the time being I think you should stop allowing them full access to your Roster.
Last edited by robojerk on Thu Apr 12, 2007 12:24 am, edited 1 time in total.
Image
For the Horde!
Image
User avatar
robojerk
WR.net Master
WR.net Master
 
Posts: 484
Joined: Wed Jul 05, 2006 12:17 am
Location: -The OmniMatrix- Web 3.0

Passing Variables

Postby lhunath » Thu Apr 12, 2007 12:14 am

Dear carlpalmer ..

I am no fan of obfuscation. If you wish to suggest obfuscation principles, suggest away, but you will NEVER see obfuscation introduced in jUniUploader.

Security is a SERIOUS thing. Obfuscation is a pathetic attempt at making something look secure.

Let me explain myself.

Any password and username are sent to jUniUploader IN CLEAR TEXT by UniAdmin. You can SEE THE PASSWORD by browsing to this url:

http://my-guild.com/blahblah/uniadmin/interface.php?OPERATION=GETSETTINGSXML

That is your guild's UniAdmin sync url with the query that asks for the settings. Look at its output in your webbrowser, it tells you the password LITERALLY.

If you wish to discuss security, do not come to me, go to Zanix and ask for HTTP authentication and making HTTPS REQUIRED.
Only then, I will considder putting stars on any sort of password in jUniUploader. Currently, it's totally rediculous to try and hide the password. If anything, it will push the WoWRoster devs to become sane and never send passwords on unencrypted streams, accessible by anonymous users.
Last edited by lhunath on Thu Apr 12, 2007 12:15 am, edited 1 time in total.
"OK, so ten out of ten for style, but minus several million for good thinking, yeah?"
-- Zaphod Beeblebrox


= NetherPanel: home - launch - tickets =
User avatar
lhunath
UA/UU Developer
UA/UU Developer
 
Posts: 201
Joined: Sat Jul 22, 2006 12:32 pm

Re: Passing Variables

Postby carlpalmer » Thu Apr 12, 2007 12:26 am

lhunath that is information that I didn't know. You make a good point, and based on that, I completely see where you are coming from.

robojerk - Well, that would be fantastic, not giving them full access to the roster, but since that password is required when updating the guild roster, this suggestion is useful.
A computer is like an Old Testament god, with a lot of rules and no mercy.

Image
Image
User avatar
carlpalmer
WR.net Apprentice
WR.net Apprentice
 
Posts: 24
Joined: Fri Jul 21, 2006 4:27 am

Passing Variables

Postby PleegWat » Thu Apr 12, 2007 4:25 am

The data would also be in plaintext in the normal UU's config file, as it probably is in jUU's config file.

Oh, and in 1.8 there's a three-level auth system with guild/officer/admin passes. No full auth but as close as you're likely to get in the 1x line.
I <3 /bin/bash
User avatar
PleegWat
WoWRoster.net Dev Team
WoWRoster.net Dev Team
 
Posts: 1636
Joined: Tue Jul 04, 2006 1:43 pm

Re: Passing Variables

Postby robojerk » Thu Apr 12, 2007 4:39 am

PleegWat wrote:The data would also be in plaintext in the normal UU's config file, as it probably is in jUU's config file.

Word.

PleegWat wrote:Oh, and in 1.8 there's a three-level auth system with guild/officer/admin passes. No full auth but as close as you're likely to get in the 1x line.

Disco!
Image
For the Horde!
Image
User avatar
robojerk
WR.net Master
WR.net Master
 
Posts: 484
Joined: Wed Jul 05, 2006 12:17 am
Location: -The OmniMatrix- Web 3.0

Re: Passing Variables

Postby lhunath » Thu Apr 12, 2007 6:22 am

PleegWat wrote:The data would also be in plaintext in the normal UU's config file, as it probably is in jUU's config file.

Oh, and in 1.8 there's a three-level auth system with guild/officer/admin passes. No full auth but as close as you're likely to get in the 1x line.

Sounds good like a good start. But I still highly recommend HTTPS. Sending passwords in the clear is like making a forum post asking for your roster to be hacked and providing the password for it.

By the way, carlpalmer, I hope I didn't sound personal; I tend to sound a little too offensive when talking about security issues. Naturally I did not intend to direct anything toward you.
Last edited by lhunath on Thu Apr 12, 2007 6:23 am, edited 1 time in total.
"OK, so ten out of ten for style, but minus several million for good thinking, yeah?"
-- Zaphod Beeblebrox


= NetherPanel: home - launch - tickets =
User avatar
lhunath
UA/UU Developer
UA/UU Developer
 
Posts: 201
Joined: Sat Jul 22, 2006 12:32 pm

Passing Variables

Postby PleegWat » Thu Apr 12, 2007 5:49 pm

This discussion has been had between the devs before. Matt clearly stated he's never gonna support https. The problem with https is that it's still not secure unless you have an officially signed certificate. The cost of those put them outside consideration.
I <3 /bin/bash
User avatar
PleegWat
WoWRoster.net Dev Team
WoWRoster.net Dev Team
 
Posts: 1636
Joined: Tue Jul 04, 2006 1:43 pm


Return to NetherPanel

Who is online

Users browsing this forum: No registered users and 0 guests