Hi everybody!
After having read http://cynosureprime.blogspot.de/2017/0 ... posed.html, I had a look at the password hashing of Memberpages 3.6.4 and found that it is vulnerable to storing weak password hashes in cookies (besides a timing attack vulnerability). Therefore I have released Memberpages 3.6.5 which requires PHP ≥ 5.3.7 now.
All users are strongly advised to update to this version as soon as possible!
Note that I consider the plain-text password storage of Memberpages as vulnerability as well, but I do not have the time to fix that with regard to the password forgotten functionality. Consider to use Register_XH instead.
Password Hashing Vulnerability in Memberpages 3.6.4 and below
Password Hashing Vulnerability in Memberpages 3.6.4 and below
Christoph M. Becker – Plugins for CMSimple_XH
Re: Password Hashing Vulnerability in Memberpages 3.6.4 and below
HI again!
I just noticed that Memberpages 3.6.5 still leaves another vulnerability regarding the "remember me" functionality. (Sorry I can't disclose any details here.)
So you are strongly advised to disable the "rember me" functionality for the time being!
I just noticed that Memberpages 3.6.5 still leaves another vulnerability regarding the "remember me" functionality. (Sorry I can't disclose any details here.)
So you are strongly advised to disable the "rember me" functionality for the time being!
Christoph M. Becker – Plugins for CMSimple_XH