Hello everyone,
I have been away for awhile, I was just looking through the latest code and I was surprised by a few things. Why is BoonEx using md5/sha1 for password hashing? Why is the password hash being stored in a cookie? Why are you not creating a session token, storing it in db and giving that to the user instead of leaking their own password in a cookie?
Its 2014, you must start taking security seriously. I have begun working on a patch to improve this important component of Dolphin as I plan on using it, I will update this post with a link to the code/patch on GitHub.
|
So I have successfully implemented bcrypt password hashing with Dolphin, here is the patch. It's really easy to deploy, just edit 1 file and increase the length of the password and salt columns in the Profiles table. This improved hashing function requires PHP 5.5 +, for older versions of PHP look into PHPass.
This is one small step in further hardening your Dolphin instance, in the unlikely event you get hacked it will be much harder if not impossible for anyone to decrypt the bcrypted passwords unlike the current implementation.
|
I have made great progress improving the session handling, although this 'tweak' will require a few changes. I have been working on a fallback check for the new password hashing that will force existing md5/sha1 passwords to be updated to BCrypt.
The PDO work is going to take longer than I initially expected, though this will enable 11 additional database drivers. Once I am finished the session handling I will push this to github.
|
The PDO work is going to take longer than I initially expected, though this will enable 11 additional database drivers. Once I am finished the session handling I will push this to github.
Actually its an awesome idea to maintain an unofficial dolphin repo. We could improve the product outside. I will go check what dolphin license states about it and report back here.
so much to do.... |
The PDO work is going to take longer than I initially expected, though this will enable 11 additional database drivers. Once I am finished the session handling I will push this to github.
Actually its an awesome idea to maintain an unofficial dolphin repo. We could improve the product outside. I will go check what dolphin license states about it and report back here.
Yes, we are permitted to redistribute our forks so long as we don't violate any terms of the BoonEx Dolphin licence. I have a few commits on a git repo of the latest version that I will be pushing to Github soon.
|
It would be awesome if BoonEx switched to Git(Hub). Seeing this a few months back got me excited but it doesn't look very promising. |
Aw it would be awesome if they maintained the git repo.
Oh and I will fork your work :P
so much to do.... |
