ELOG

Demo Discussion

Forum Config Examples Contributions Vulnerabilities

Discussion forum about ELOG

Not logged in

Back | Find | Login | Help

Security (passwords over web browser), posted by Aamir Khan on Tue Feb 25 22:18:57 2003

Re: Security (passwords over web browser), posted by Stefan Ritt on Wed Feb 26 10:34:12 2003

Message ID: 239 Entry time: Wed Feb 26 10:34:12 2003 In reply to: 236

Icon:

Author:

Stefan Ritt

Author Email:

stefan.ritt@psi.ch

Category:

Comment

OS:

ELOG Version:

Subject:

Re: Security (passwords over web browser)

> Stefan - Just to say that this is an excellent piece of work well done.

Thanks.
 
> 1) is there a way around seeing the password in text when self 
regestering, 
> if I turn this option off when the user changes his password will this 
> password still be seen?

Where did you see the password? Was it on this logbook or on your own? Did 
you use "self register" equal 3 or 2? The password should never be visible 
in plain text, so after you submit it (during registration or login), the 
page gets immediately redirected since the password is contained in the 
URL. After the redirection, it is not visible any more. Now it might happen 
that the redirection takes a few seconds, depending on the network speed, 
then you see it for this few seconds. But in an intranet installation, this 
should not happen.

> 2) I have changed all the files to be owned on my RedHat Server by the 
> user:group as elog:elog and set and moved the logbooks to another 
directory 
> other than in /usr/local/elog namely /home/elog/logbooks, my concern is 
is 
> I was to upgrade to a newer version would it be a simple install over the 
> top? any caveats?

Yes, if you upgrade, the new version will again to into /usr/local/elog 
unless you tell "rpm" to relocate the package. Unfortunately I'm not a 
specialist with "rpm", but you might figure it out yourself (just try to 
reinstall the same version and look where the files go wiht "rpm -ql elog").

ELOG V3.1.5-fe60aaf