https://www.owasp.org/index.php/Password_Plaintext_Storage
The direct printing module requires the CUPS password to operate.
This password is stored in llx_const in the PRINTIPP_PASSWORD entry in plaintext!
It should be encrypted according to the settings available under admin/security.php.
The same is valid for any password.
Other affected entries are:
PAYPAL_API_PASSWORD (PayPal Module)LDAP_ADMIN_PASS (LDAP Module)FTP_PASSWORD_* (FTP Module)MAIN_PROXY_PASS (Security [sic] External access)@rdoursenaud
il faut un cryptage r茅versible !
sinon il existe une fonctionnalit茅 qui permet d'encrypter llx_const en globalit茅 avec une cl茅, reste 脿 rendre cette cl茅 s茅curis茅e !
@hregis On dit 芦聽chiffrement聽禄 : http://www.bortzmeyer.org/cryptage-n-existe-pas.html
Of course it has to be reversible for Dolibarr to be able to use them. openssl_encrypt() / openssl_decrypt() are the best candidates since mcrypt is in the process of being deprecated: https://wiki.php.net/rfc/mcrypt-viking-funeral
And yes, provisions have to be made to store the cypher properly.
Authenticating the encrypted strings is also a requirement for up-to-date crypto.
Suggestion as a feature request : Introducing a param $crypted into the _dol_set_const_ and _dol_get_const_ so anybody can use encryption of a parameter that need it only.
If this param is 1 and if the global var
$dolibarr_main_instance_unique_id is set into conf.php file (it is always from 10.0)
then we use it to crypt/uncrypt the value using openssl_encrypt/openssl_decrypt.
Also the field 'type' in tabel llx_const can be used to know if param has been encrypted or not.
Most helpful comment
Suggestion as a feature request : Introducing a param $crypted into the _dol_set_const_ and _dol_get_const_ so anybody can use encryption of a parameter that need it only.
If this param is 1 and if the global var
$dolibarr_main_instance_unique_id is set into conf.php file (it is always from 10.0)
then we use it to crypt/uncrypt the value using openssl_encrypt/openssl_decrypt.
Also the field 'type' in tabel llx_const can be used to know if param has been encrypted or not.