Summary

Joomla is currently less secure than Wordpress, for example is.

Problem:
User passwords are salted and hashed and the password's hash and salt are stored in the users table in the database. If there is an SQL injection vulnerability then an attacker finds everything he needs to crack the hashes in the database.

Solution:
Adding a secret, second salt that is unique for each Joomla site and that is not stored in the DB. I propose a 'pwsecret' property in the configuration.php.
There is already a 'secret' property, but by introducing a new property, the new code won't break existing password hashes, because it recognizes that the site was not yet set-up to use this second salt in it's hashes.
The feature cannot easily be applied to existing installations, but it will not break them and should be used for all new installations.

Code:
I have already forked Joomla on github and added this new feature.
See https://github.com/andywer/joomla-cms/commit/f38d6031c041ff51fd13c0240280d4b2246cc8ba and https://github.com/andywer/joomla-cms/commit/536a3f9ede97c82d4b12e164e95d8d317e2572c2

Please tell me what you think about it. Thanks!

Regards
Andy
Opened On:
10 Apr 2013, 5:09 by Andy Wermke
Closed On:
21 Apr 2013, 12:53
Status:
Closed

Filed Under

  • Authentication & Login
  • Developer

Responses

Posted on 10 Apr 2013, 5:13 by Andy Wermke
Sorry, wrong tracker. Hit me.
Moved to: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=30530

Please close. Thx.