Demo Discussion

Forum Config Examples Contributions Vulnerabilities

Discussion forum about ELOG, Page 734 of 796  Not logged in

Find |  Login |  Help

Full | Summary | Threaded | Hide attachments     -- All entries -- Last day Last 3 Days Last week Last month Last 3 Months Last 6 Months Last Year -- Category -- Info Bug report Bug fix Question Request Comment Other  6361 Entries

Goto page Previous  1, 2, 3 ... 733, 734, 735 ... 794, 795, 796   Next

ID Date Icon Author Author Email Category OS ELOG Version Subject   1159   Fri May 27 14:48:05 2005   Stefan Ritt stefan.ritt@psi.ch Request   2.5.8-6 Re: password encryption Alex H wrote: Hi Stefan, I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page, I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better. Could you fix it for the next release ? Thanks a lot. Alex Unfortunately there is no real way around that. If a password is entered into a text box, it is always transferred in plain text (which means that in security-sensive installations one should always use SSL together with elog). I encrypt it on the server side and do an immediate redirect which "hided" the plain password, but if your connection is slow, you might see it for a moment. Unless nobody has a clever idea of how to prevent this, we're out of luck.   1160   Mon May 30 10:01:14 2005   Alex H alex@synergie-inf.com Request   2.5.8-6 Re: password encryption Stefan Ritt wrote: Alex H wrote: Hi Stefan, I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page, I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better. Could you fix it for the next release ? Thanks a lot. Alex Unfortunately there is no real way around that. If a password is entered into a text box, it is always transferred in plain text (which means that in security-sensive installations one should always use SSL together with elog). I encrypt it on the server side and do an immediate redirect which "hided" the plain password, but if your connection is slow, you might see it for a moment. Unless nobody has a clever idea of how to prevent this, we're out of luck. Oki Thanks for the answer . Alex   1161   Mon May 30 19:18:34 2005   Gary Clayson g_clayson@sbcglobal.net Request Windows 2.5.8-6 Re: password encryption Hello Alex and Stefan, I know of only one way to "hide" the text of the status bar in a web browser; use JavaScript - specifically the status method (as in the following example): <!-- the following goes in the body of the document, perhaps in a link. --> <!-- sample link --> <a href="javascript://place link url here" onMouseOver="window.status='Status Bar Text Goes Here'; return true">Link Text Here</a> <!-- place the following script in the head of the document --> <script language="JavaScript" type="text/javascript"><!-- window.defaultStatus="Default Status Bar Text Here"; --></script> Of course the above only works in those browsers that support javascripting, but it is one way to hide the actual text of links from the user. Hopefully this helps you! Gary Clayson Alex H wrote: Hi Stefan, I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page, I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better. Could you fix it for the next release ? Thanks a lot. Alex   1162   Mon May 30 19:56:01 2005   Emiliano Gabrielli AlberT@SuperAlberT.it Request Windows 2.5.8-6 Re: password encryption Gary Clayson wrote: Hello Alex and Stefan, I know of only one way to "hide" the text of the status bar in a web browser; use JavaScript - specifically the status method (as in the following example): <!-- the following goes in the body of the document, perhaps in a link. --> <!-- sample link --> <a href="javascript://place link url here" onMouseOver="window.status='Status Bar Text Goes Here'; return true">Link Text Here</a> <!-- place the following script in the head of the document --> <script language="JavaScript" type="text/javascript"><!-- window.defaultStatus="Default Status Bar Text Here"; --></script> Of course the above only works in those browsers that support javascripting, but it is one way to hide the actual text of links from the user. Hopefully this helps you! Gary Clayson Alex H wrote: Hi Stefan, I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page, I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better. Could you fix it for the next release ? Thanks a lot. Alex I don't have double checked .. but .. why we need to pass the sensible information in the Query String ?? Are you sure that putting it in an hidden field (and eventualli using a GET methon in the <form>-tag) can't be a solution?   1163   Mon May 30 20:16:11 2005   Stefan Ritt stefan.ritt@psi.ch Request Windows 2.5.8-6 Re: password encryption Emiliano Gabrielli wrote: I don't have double checked .. but .. why we need to pass the sensible information in the Query String ?? Are you sure that putting it in an hidden field (and eventualli using a GET methon in the <form>-tag) can't be a solution? Hidden means only these fields are not shown in the form, but they are added to the URL in the same way as non-hidden fields. But I got another idea: I will try to use a POST form instead of the GET form. Using the POST method, fields are attached to the request and not present in the URL. Hope this will work. When I find some time to work on it I will let you know.   1164   Tue May 31 09:07:37 2005   Alex H alex@synergie-inf.com Request Windows 2.5.8-6 Re: password encryption Thanks Stefan 8)   1176   Sat Jun 4 14:00:17 2005   Stefan Ritt stefan.ritt@psi.ch Request   2.5.8-6 Re: password encryption Alex H wrote: I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page, I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better. Could you fix it for the next release ? Thanks a lot. Alex I switched the login page to the HTTP "POST" method, where arguments are not passed in the URL. The new version is under CVS. Can you try if the behaviour is better now? I upgraded also the ELOG forum, so you can try there as well.   1229   Wed Jul 6 16:02:30 2005   Tim Iskander tim.iskander@criticallink.com Request All 2.5.8 Request: can the comment for a log book be put in the status bar on hover We have several logbooks running here with somewhat cryptic names. The comment field for the logbook describes its intent well enough, so the thought was that the comment could show up in the status bar (or tooltip) when you hover over the logbook name in the tabs at the top of the page. ___ yea ___ nea /Tim

Goto page Previous  1, 2, 3 ... 733, 734, 735 ... 794, 795, 796   Next

ELOG V3.1.5-fe60aaf