Dolibarr: Passwords should not be stored in plaintext

Created on 7 Feb 2018  路  4Comments  路  Source: Dolibarr/dolibarr

https://www.owasp.org/index.php/Password_Plaintext_Storage

The direct printing module requires the CUPS password to operate.
This password is stored in llx_const in the PRINTIPP_PASSWORD entry in plaintext!
It should be encrypted according to the settings available under admin/security.php.

Bug Security (CVE) Feature request

Most helpful comment

Suggestion as a feature request : Introducing a param $crypted into the _dol_set_const_ and _dol_get_const_ so anybody can use encryption of a parameter that need it only.
If this param is 1 and if the global var
$dolibarr_main_instance_unique_id is set into conf.php file (it is always from 10.0)
then we use it to crypt/uncrypt the value using openssl_encrypt/openssl_decrypt.

Also the field 'type' in tabel llx_const can be used to know if param has been encrypted or not.

All 4 comments

The same is valid for any password.
Other affected entries are:

  • PAYPAL_API_PASSWORD (PayPal Module)
  • LDAP_ADMIN_PASS (LDAP Module)
  • FTP_PASSWORD_* (FTP Module)
  • MAIN_PROXY_PASS (Security [sic] External access)
  • More?

@rdoursenaud
il faut un cryptage r茅versible !
sinon il existe une fonctionnalit茅 qui permet d'encrypter llx_const en globalit茅 avec une cl茅, reste 脿 rendre cette cl茅 s茅curis茅e !

@hregis On dit 芦聽chiffrement聽禄 : http://www.bortzmeyer.org/cryptage-n-existe-pas.html

Of course it has to be reversible for Dolibarr to be able to use them. openssl_encrypt() / openssl_decrypt() are the best candidates since mcrypt is in the process of being deprecated: https://wiki.php.net/rfc/mcrypt-viking-funeral

And yes, provisions have to be made to store the cypher properly.

Authenticating the encrypted strings is also a requirement for up-to-date crypto.

Suggestion as a feature request : Introducing a param $crypted into the _dol_set_const_ and _dol_get_const_ so anybody can use encryption of a parameter that need it only.
If this param is 1 and if the global var
$dolibarr_main_instance_unique_id is set into conf.php file (it is always from 10.0)
then we use it to crypt/uncrypt the value using openssl_encrypt/openssl_decrypt.

Also the field 'type' in tabel llx_const can be used to know if param has been encrypted or not.

Was this page helpful?
0 / 5 - 0 ratings