| Author |
|
AdamR
Newbie
Joined: 25 January 2010
Location: United Kingdom
Online Status: Offline
Posts: 1
|
| Posted: 25 January 2010 at 1:47pm | IP Logged
|
|
|
Hi,
I found AfterLogic Webmail client from some Google results after looking for a good PHP email client. So far, so good -- does what I want nicely.
My concern is the password for the admin panel. Why is it stored in plain text in an XML file?
Yes, my file system has a good amount of measures to stop anyone reading it who shouldn't be. But still, I feel this is open for abuse for those on shared web servers or improperly secured file systems.
Could you possibly consider storing the password as a hash in future versions? PHP is capable of strong algorithms like SHA-512, and I remember .NET can from when I was doing coursework at university.
I've modified '/adminpanel/plugins/common/plugin.php' to save the password hashed with the whirlpool algorithm, and again modified '/adminpanel/cadminpanel.php' to read the whirlpool hash fine. However I feel something like this should be included.
I'm also wondering why you like to mask so much of your code by putting functions as single line files with iffy variable names (like '$ …… … …… '). I'm no PHP expert, but I could modify it easily with some simple searches :)
Other than that, thanks - nice mail client.
|
| Back to Top |
|
| |
Igor
AfterLogic Support
Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6089
|
| Posted: 26 January 2010 at 2:46am | IP Logged
|
|
|
Quote:
| Could you possibly consider storing the password as a hash in future versions? |
|
|
Thank you for your suggestion, our developers will consider it.
Quote:
| I'm also wondering why you like to mask so much of your code by putting functions as single line files with iffy variable names (like '$ …… … …… '). |
|
|
We have to do this to protect license key check logic, so few files involved into this are encoded. Of course, we realize that it can still be decoded, but 100% reliable protection just doesn't exist, right? 
--
Regards,
Igor, AfterLogic Support
|
| Back to Top |
|
| |
Igor
AfterLogic Support
Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6089
|
| Posted: 26 January 2010 at 5:36am | IP Logged
|
|
|
I guess it's also worth mentioning that you can move the data folder from its default location anywhere you like and change its name to anything, just change the path in inc_settings_path.php file. Moving the data folder outside of document root makes it impossible to access those files via web browser.
In the future, we are planning to modify WebMail Pro architecture a bit, so that files keep as few configuration details as possible and most of them are kept in the database. Without that, hiding only adminpanel password is absolutely not enough since there are other sensitive data stored, like database access credentials.
--
Regards,
Igor, AfterLogic Support
|
| Back to Top |
|
| |
MailBee.NET Objects 
MailBee.NET Queue 
MailBee Objects 
WebMail Pro PHP 
AfterLogic Aurora 
MailSuite Pro for Linux 
Unified Messaging Solution 
Search
Register
Login
Topic: Admin password stored in plain text!?
Privacy policy |
Refund policy