I've been moderating a snitz forum for about a year now. I walked in a few things but never took the time to report them really..
One of them is that passwords are stored in plain text in the database. This means quite a big security risk in my opinion. The webserver could be hacked in whatever way.. And the database can be downloaded to a local machine and opened without any protection. Then it could be opened and the passwords are there in plain text.
It might as well be a misconfiguration by the administrator on that board but still.. In my opinion passwords must be stored encrypted by default.
Another thing is.. Why are passwords listed as **** (stars) in the edit menu for members? I mean what use is it to put the passwords there? You can read them in plain text in the html source. Which is yet again a security risk. You can easily put 2 empty password boxes for the administrator only to change the password (type new password and retype new password).
Are there any reasons not to do it this way or something?
A bartender is just a pharmacist with a limited inventory.
Topic Locked
Posted - 14 August 2002 : 10:22:40
