Rev 670 | Rev 700 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 670 | Rev 695 | ||
---|---|---|---|
Line 5... | Line 5... | ||
5 | - BCrypt |
5 | - BCrypt |
6 | Make #rounds and length of admin password configurable (pre-baseconfig?) |
6 | Make #rounds and length of admin password configurable (pre-baseconfig?) |
7 | Include dev/bcrypt_cost_calculator somewhere in the configuration page? |
7 | Include dev/bcrypt_cost_calculator somewhere in the configuration page? |
8 | ... At least give a hint to the documentation, so they know how to run the tool and how to enter the cost in the configuration (for RA and Admin) |
8 | ... At least give a hint to the documentation, so they know how to run the tool and how to enter the cost in the configuration (for RA and Admin) |
9 | ... or in the setup page make an extra control how complex the admin password should be? but be aware that nobody enters a too big number (it makes DoS possible!) |
9 | ... or in the setup page make an extra control how complex the admin password should be? but be aware that nobody enters a too big number (it makes DoS possible!) |
- | 10 | - system log plugin: Only show 100 events and let the user switch pages. To avoid that you load a page with 10000+ log entries! |
|
10 | 11 | ||
11 | 12 | ||
12 | SECURITY Improvements: |
13 | SECURITY Improvements: |
13 | - Small security issue: A visitor can check which plugins are installed by either entering a "goto" command (e.g. "oidplus:vnag_version_check") |
14 | - Small security issue: A visitor can check which plugins are installed by either entering a "goto" command (e.g. "oidplus:vnag_version_check") |
14 | and see which error message appears, or they could try to enter "plugin/adminPages/..." using the web browser and see if the result is HTTP 200 or HTTP 404. |
15 | and see which error message appears, or they could try to enter "plugin/adminPages/..." using the web browser and see if the result is HTTP 200 or HTTP 404. |