Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Password Protect Plugin for GS
#1
Password Protect
Password Protect let's GetSimple CMS users assign a password to their pages, a user can enter a password to gain access to the page.

A very simple plugin to use and is ideal for webmasters that need a quick and simple way to password restrict a page.

Screenshots

Page edit form
[Image: screenshot1.png]

Frontend view password prompt
[Image: screenshot2.png]

Download
Extend
GitHub
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#2
Great idea!

I did a french lang file (http://get-simple.info/extend/plugin-lan...ugin/1023/ ), you may include it if you want.

Hmmm.. You are saving the password in clear text, aren't you?
__
Contact me if you need a french translation file for your plugin.
Reply
#3
You should never keep unhashed passwords in database/files

instead of
Code:
$note->addCData($password);

at very least use:
Code:
$xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);

addCData not required in this case.

Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php

regards
Reply
#4
(2016-03-14, 00:36:43)Bigin Wrote: You should never keep unhashed passwords in database/files

instead of



Code:
$note->addCData($password);

at very least use:



Code:
$xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);

addCData not required in this case.

Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php

regards


Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
  • The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
  • It is only view-able to admins.
  • If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
  • The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.

(2016-03-13, 23:31:18)Charpy1 Wrote: Great idea!

I did a french lang file (http://get-simple.info/extend/plugin-lan...ugin/1023/ ), you may include it if you want.

Hmmm.. You are saving the password in clear text, aren't you?

Thanks!
I have included the translation in GitHub, will put it out into extend soon.
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#5
(2016-03-14, 04:53:44)HelgeSverre Wrote: Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
  • The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
  • It is only view-able to admins.
  • If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
  • The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.

I do not see any reason why you would want to store the password in plain text, it's definitely not correct!
Reply
#6
(2016-03-14, 05:25:35)Bigin Wrote:
(2016-03-14, 04:53:44)HelgeSverre Wrote: Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:

  • The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
  • It is only view-able to admins.
  • If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
  • The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.

I do not see any reason why you would want to store the password in plain text, it's definitely not correct!

You are free to use another plugin or create your own in that case.
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#7
Please don't take it that way.. You shouldn't be offensed, and every here is thankfull to you for contributing to GS with this plugin.

You also have to consider that if you share your plugin, other may not have the same needs that you have. Security isn't a small issue, for both integrity of the GS websites and the GS reputation.

I think that for such a plugin, both password AND page content has to be stored hashed, with salt, AES1024 and everything! I don't have enough skills to improve it by myself, however.
__
Contact me if you need a french translation file for your plugin.
Reply
#8
I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature also for sharing.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#9
(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature  also for sharing.

Yup, was what I thought as well.
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#10
You made a point. But you can't assume that the page content isn't some vital informations, so.. hmm.
Well, it's also possible to make password encryption an option, I guess...?
__
Contact me if you need a french translation file for your plugin.
Reply
#11
(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.

The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"

(2016-03-14, 07:22:44)shawn_a Wrote: Visible password is a feature  also for sharing.

Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request Smile
Reply
#12
(2016-03-14, 18:17:27)Bigin Wrote:
(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.

The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"


(2016-03-14, 07:22:44)shawn_a Wrote: Visible password is a feature  also for sharing.

Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request Smile

I said no.
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#13
Very useful.
Thank you!

C.
Reply
#14
Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks

Nico
Reply
#15
   
(2016-04-04, 23:55:06)nicolap Wrote: Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks

Nico

actually it makes me install it, but then it gives me error and the plugin gets automatically disabled; and afterwards the website get empty.
Reply
#16
turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#17
(2016-04-05, 06:37:49)shawn_a Wrote: turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.

Thanks, Will check it out when I have a spare moment.
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#18
I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.

thanks for a hint

Nicola

http://www.lamossa.net
Reply
#19
(2016-04-07, 05:56:59)nicolap Wrote: I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.

thanks for a hint

Nicola

http://www.lamossa.net

What web host are you using?
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#20
(2016-04-07, 22:32:04)HelgeSverre Wrote:
(2016-04-07, 05:56:59)nicolap Wrote: I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.

thanks for a hint

Nicola

http://www.lamossa.net

What web host are you using?

lamossa.net is under F5 BIG-IP APACHE hosted by OVH
I've also tried the plugin at lamichetta.it, that is under LINUX APACHE hosted by ARUBA
same result, the website gets blank.
I've tried this from my company network and from home with a private connection

Is it the first time you hear of such a bug...?

thanks
Reply
#21
Might be php version problem the error log will say a fatal error if you have white screen of death
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#22
Do you know which PHP version you are running on, I used a short array declaration "[]" in the plugin, if your PHP version doesn't support that it could possibly cause the errors you are having.
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#23
I am receiving the same thing. I activate the plugin and site goes blank.

Turned on debugging and got this:

Code:
Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56


Running PHP 5.3
Reply
#24
(2016-04-15, 12:33:54)mengi Wrote: I am receiving the same thing. I activate the plugin and site goes blank.

Turned on debugging and got this:


Code:
Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56


Running PHP 5.3


This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".

Upgrade your PHP version.
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#25
(2016-04-21, 18:33:02)HelgeSverre Wrote: This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".

Upgrade your PHP version.

If you just changed that line to $html = array(); your plugin would be compatible with PHP 5.2, which, by the way, is the minimum required by GS.
There are many many hosts using PHP 5.3 (and quite a lot with 5.2)
Reply




Users browsing this thread: 1 Guest(s)