[TH] Install and Upgrade [Deleted]

[Mike]

If the password is actually being printed back out, it would be in the page source; inspecting it may not show as a browser design choice. I don't know the implementation to know whether or not that's the case though.

 

[Lisa]

If the password is actually being printed back out, it would be in the page source; inspecting it may not show as a browser design choice. I don't know the implementation to know whether or not that's the case though.

Just checked (look at me being all helpful ) Starred out in Page Source too.

 

[gwordz]

I was the one who noticed it. I can still reproduce this in safari, by clicking on the "stored credentials" option in ACP, clicking edit on the desired credential and then right clicking in the password field and inspecting. In the screenshot, you can see username is test and password is "hidemetest". Not major if you are the only admin with ACP access but unsafe if you aren't.

 

[Lisa]

I was the one who noticed it. I can still reproduce this in safari, by clicking on the "stored credentials" option in ACP, clicking edit on the desired credential and then right clicking in the password field and inspecting. In the screenshot, you can see username is test and password is "hidemetest". Not major if you are the only admin with ACP access but unsafe if you aren't.

Okay, I didn't have the whole edit the field first part of the equation

Yes, I can confirm this.

 

[gwordz]

Anyone with the premium version that can test as well? I know it says you can enable encryption of the password in the database with the premium version but wondering if it still shows in the ACP using this method.

Okay, I didn't have the whole edit the field first part of the equation

Yes, I can confirm this.

Yeah, sorry. I wasn't as clear about the procedure when @Brogan and myself were talking about it.

 

[ceptime]

How privacy is provided account? Do you store this information on your server (hostname,username,pass etc)
multi admin site to privacy issue Ftp Password text password visible
Solution store credential function?

 

[2faroffroad]

I have the latest versions of these two add-on's but they still shows up as outdated, why?
View attachment 106729

@jOOc,
Did you find a solution? I am having the same issue with 2 different mods.
Thanks.

 

[Jon W]

Jon W updated Install and Upgrade by Waindigo with a new update entry:

Version 1.4.10 released

Bug fixes:

• Fixes outdated add-ons counter in XenForo 1.5 Beta 1.

Read the rest of this update entry...

 

[creativeforge]

Hi, I tried to download your addon, but keep getting this message from Chrome:



They give this link for help:

Malware and unwanted software - Search Console Help

Hope this helps,

Andre

 

[BobbyWibowo]

@Jon W Hey, how does the copyright system work actually? I've made sure to allow copyright to appear in all cases and never hide it, but for the past few days, I've never seen the copyright in my footer at all. It behaves this way both on my live forums and my local host.

 

[TDUBS]

Can anyone confirm if whether or not the password encryption problem above has been fixed?

 

[BobbyWibowo]

@TDUBS It hasn't been fixed.

 

[TDUBS]

@TDUBS It hasn't been fixed.

Thank you. I disabled the addon until it's fixed.

 

[BobbyWibowo]

@TDUBS However you can prevent the Stored Credentials page to return the actual password when someone tries to edit it by editing this file:

library\Waindigo\InstallUpgrade\Extend\XenForo\ControllerAdmin\AddOn.php

The function that returns the password begins on line 497 (function name: actionStoredCredentialsEdit). Preventing the function from returning the actual password should be enough if all you worry about is other admins that have access to Admin CP from accessing the password.

On my case, I added this line:

$credential['password'] = "fake password";

right before this line (adding it after will also work - just make sure it's changed before being added to $viewParams array):

$credential = $installUpgradeModel->prepareCredential($credential);

 

[TDUBS]

@TDUBS However you can prevent the Stored Credentials page to return the actual password when someone tries to edit it by editing this file:

The function that returns the password begins on line 497. Preventing the function from returning the actual password should be enough if all you worry about is other admins that have access to Admin CP from accessing the password.

So this is the fix Jon would have to do in order to fix this problem?

 

[BobbyWibowo]

@TDUBS It will only solve the issue that those users above reported. The issue where it's possible for other admins that have access to Admin CP to retrieve password of the stored credentials (and if you're not on an encrypted connection, it's also possible for MITM attacker to retrieve it though).

 

[TDUBS]

@TDUBS It will only solve the issue that those users above reported. The issue where it's possible for other admins that have access to Admin CP to retrieve password of the stored credentials (and if you're not on an encrypted connection, it's also possible for MIM attacker to retrieve it though).

I'll hold off on this then. Security through obscurity.

 

[BobbyWibowo]

Also, it would be better if the add-on didn't return the actual FTP password on FTP Login Details option. And also the XenForo License Validation Token or even the XenForo License Key. For example, Audentio's UI.X has a better method. It won't return Audentio API key once it has been set. It only allows the user to change it, not view it. I'm not so concerned since I especially set the security setting of my admin.php on CloudFlare to High. And also the encryption of my whole forums is fully strict. But still, there's a concern since I'm not the only one who have access to Admin CP, and I can't tell for sure that the other admins' devices are safe.

 

[Tommy]

It is asking for credentials all the time, is this a bug?

 

[BobbyWibowo]

@Tommy Are you sure that the credentials are stored correctly and are available on the Stored Credentials page?