Sending plain-text passwords...

Hi,
there is some security issue in phpAlbum: all the passwords (login, registration and ftp) are sent in plain-text and anyone on the net can read them.

Solving the problem is very simple. In a new version you could make all the critical links (those whose POST data contains a password) not http:// but https://.

For example

< AAA form name="name" action="main.php" method="post">

should be something like:
< AAA form name="name" action="https://link.to/the/site/main.php" method="post">

(take away the "AAA")

Bye and thank for you work.

This is not as easy as you

This is not as easy as you say. In able to use https:// you must have SSL support on your server. Not even I have this by my provider, it costs some money and i think almost all people does not have this on their servers.

Other way would be to encode the password on the clientside via Javascript and decode it in the script. But if on is sitting on your server there is no way to make it unbreakable :)

Patrik

re: This is not as easy as you

Mmh, of course you are right, but you could insert some option in config.php to let anyone decide wether use or not the secure authentication.
This option could be turned off by default and turnable on by those whose server run the SSL module for apache.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


style="display:inline-block;width:468px;height:60px"
data-ad-client="ca-pub-8698264690166658"
data-ad-slot="4417389723">