Subversion Repositories oidplus

Rev

Rev 670 | Rev 700 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed

Rev 670 Rev 695
Line 5... Line 5...
5 
- BCrypt
 5 
- BCrypt
6 
	Make #rounds and length of admin password configurable (pre-baseconfig?)
 6 
	Make #rounds and length of admin password configurable (pre-baseconfig?)
7 
	Include dev/bcrypt_cost_calculator somewhere in the configuration page?
 7 
	Include dev/bcrypt_cost_calculator somewhere in the configuration page?
8 
	... At least give a hint to the documentation, so they know how to run the tool and how to enter the cost in the configuration (for RA and Admin)
 8 
	... At least give a hint to the documentation, so they know how to run the tool and how to enter the cost in the configuration (for RA and Admin)
9 
	... or in the setup page make an extra control how complex the admin password should be? but be aware that nobody enters a too big number (it makes DoS possible!)
 9 
	... or in the setup page make an extra control how complex the admin password should be? but be aware that nobody enters a too big number (it makes DoS possible!)
- 
 
 10 
- system log plugin: Only show 100 events and let the user switch pages. To avoid that you load a page with 10000+ log entries!
10 
 
 11 
 
11 
 
 12 
 
12 
SECURITY Improvements:
 13 
SECURITY Improvements:
13 
- Small security issue: A visitor can check which plugins are installed by either entering a "goto" command (e.g. "oidplus:vnag_version_check")
 14 
- Small security issue: A visitor can check which plugins are installed by either entering a "goto" command (e.g. "oidplus:vnag_version_check")
14 
  and see which error message appears, or they could try to enter "plugin/adminPages/..." using the web browser and see if the result is HTTP 200 or HTTP 404.
 15 
  and see which error message appears, or they could try to enter "plugin/adminPages/..." using the web browser and see if the result is HTTP 200 or HTTP 404.