Password Hashing Vulnerability in Memberpages 3.6.4 and below

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Password Hashing Vulnerability in Memberpages 3.6.4 and below

Post by cmb » Tue Sep 05, 2017 1:41 pm

Hi everybody!

After having read http://cynosureprime.blogspot.de/2017/0 ... posed.html, I had a look at the password hashing of Memberpages 3.6.4 and found that it is vulnerable to storing weak password hashes in cookies (besides a timing attack vulnerability). Therefore I have released Memberpages 3.6.5 which requires PHP ≥ 5.3.7 now.

All users are strongly advised to update to this version as soon as possible!

Note that I consider the plain-text password storage of Memberpages as vulnerability as well, but I do not have the time to fix that with regard to the password forgotten functionality. Consider to use Register_XH instead.
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Password Hashing Vulnerability in Memberpages 3.6.4 and below

Post by cmb » Tue Sep 05, 2017 2:30 pm

HI again!

I just noticed that Memberpages 3.6.5 still leaves another vulnerability regarding the "remember me" functionality. (Sorry I can't disclose any details here.)

So you are strongly advised to disable the "rember me" functionality for the time being!
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply