Posts: 76
Threads: 7
Joined: Jun 2015
2016-03-13, 21:37:39
(This post was last modified: 2016-03-13, 21:40:46 by HelgeSverre.)
Password Protect
Password Protect let's GetSimple CMS users assign a password to their pages, a user can enter a password to gain access to the page.
A very simple plugin to use and is ideal for webmasters that need a quick and simple way to password restrict a page.
Screenshots
Page edit form
Frontend view password prompt
Download
Extend
GitHub
Posts: 48
Threads: 3
Joined: Feb 2016
Great idea!
I did a french lang file ( http://get-simple.info/extend/plugin-lan...ugin/1023/ ), you may include it if you want.
Hmmm.. You are saving the password in clear text, aren't you?
__
Contact me if you need a french translation file for your plugin.
Posts: 538
Threads: 12
Joined: May 2013
You should never keep unhashed passwords in database/files
instead of
Code: $note->addCData($password);
at very least use:
Code: $xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);
addCData not required in this case.
Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php
regards
Posts: 76
Threads: 7
Joined: Jun 2015
2016-03-14, 04:53:44
(This post was last modified: 2016-03-14, 05:00:02 by HelgeSverre.)
(2016-03-14, 00:36:43)Bigin Wrote: You should never keep unhashed passwords in database/files
instead of
Code: $note->addCData($password);
at very least use:
Code: $xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);
addCData not required in this case.
Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php
regards
Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
- The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
- It is only view-able to admins.
- If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
- The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.
(2016-03-13, 23:31:18)Charpy1 Wrote: Great idea!
I did a french lang file (http://get-simple.info/extend/plugin-lan...ugin/1023/ ), you may include it if you want.
Hmmm.. You are saving the password in clear text, aren't you?
Thanks!
I have included the translation in GitHub, will put it out into extend soon.
Posts: 538
Threads: 12
Joined: May 2013
(2016-03-14, 04:53:44)HelgeSverre Wrote: Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
- The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
- It is only view-able to admins.
- If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
- The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.
I do not see any reason why you would want to store the password in plain text, it's definitely not correct!
Posts: 76
Threads: 7
Joined: Jun 2015
2016-03-14, 05:26:52
(This post was last modified: 2016-03-14, 05:32:45 by HelgeSverre.)
(2016-03-14, 05:25:35)Bigin Wrote: (2016-03-14, 04:53:44)HelgeSverre Wrote: Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
- The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
- It is only view-able to admins.
- If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
- The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.
I do not see any reason why you would want to store the password in plain text, it's definitely not correct!
You are free to use another plugin or create your own in that case.
Posts: 48
Threads: 3
Joined: Feb 2016
2016-03-14, 06:15:22
(This post was last modified: 2016-03-14, 06:15:40 by Charpy1.)
Please don't take it that way.. You shouldn't be offensed, and every here is thankfull to you for contributing to GS with this plugin.
You also have to consider that if you share your plugin, other may not have the same needs that you have. Security isn't a small issue, for both integrity of the GS websites and the GS reputation.
I think that for such a plugin, both password AND page content has to be stored hashed, with salt, AES1024 and everything! I don't have enough skills to improve it by myself, however.
__
Contact me if you need a french translation file for your plugin.
Posts: 6,266
Threads: 181
Joined: Sep 2011
I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature also for sharing.
Posts: 76
Threads: 7
Joined: Jun 2015
(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature also for sharing.
Yup, was what I thought as well.
Posts: 48
Threads: 3
Joined: Feb 2016
2016-03-14, 08:38:00
(This post was last modified: 2016-03-14, 08:38:10 by Charpy1.)
You made a point. But you can't assume that the page content isn't some vital informations, so.. hmm.
Well, it's also possible to make password encryption an option, I guess...?
__
Contact me if you need a french translation file for your plugin.
Posts: 538
Threads: 12
Joined: May 2013
(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.
The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"
(2016-03-14, 07:22:44)shawn_a Wrote: Visible password is a feature also for sharing.
Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request
Posts: 76
Threads: 7
Joined: Jun 2015
(2016-03-14, 18:17:27)Bigin Wrote: (2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.
The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"
(2016-03-14, 07:22:44)shawn_a Wrote: Visible password is a feature also for sharing.
Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request
I said no.
Posts: 39
Threads: 5
Joined: Oct 2013
Very useful.
Thank you!
C.
Posts: 12
Threads: 1
Joined: Jan 2013
2016-04-04, 23:55:06
(This post was last modified: 2016-04-04, 23:55:29 by nicolap.)
Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks
Nico
Posts: 12
Threads: 1
Joined: Jan 2013
(2016-04-04, 23:55:06)nicolap Wrote: Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks
Nico
actually it makes me install it, but then it gives me error and the plugin gets automatically disabled; and afterwards the website get empty.
Posts: 6,266
Threads: 181
Joined: Sep 2011
turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.
Posts: 76
Threads: 7
Joined: Jun 2015
(2016-04-05, 06:37:49)shawn_a Wrote: turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.
Thanks, Will check it out when I have a spare moment.
Posts: 12
Threads: 1
Joined: Jan 2013
I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.
thanks for a hint
Nicola
www.lamossa.net
Posts: 76
Threads: 7
Joined: Jun 2015
(2016-04-07, 05:56:59)nicolap Wrote: I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.
thanks for a hint
Nicola
www.lamossa.net
What web host are you using?
Posts: 12
Threads: 1
Joined: Jan 2013
(2016-04-07, 22:32:04)HelgeSverre Wrote: (2016-04-07, 05:56:59)nicolap Wrote: I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.
thanks for a hint
Nicola
www.lamossa.net
What web host are you using?
lamossa.net is under F5 BIG-IP APACHE hosted by OVH
I've also tried the plugin at lamichetta.it, that is under LINUX APACHE hosted by ARUBA
same result, the website gets blank.
I've tried this from my company network and from home with a private connection
Is it the first time you hear of such a bug...?
thanks
Posts: 6,266
Threads: 181
Joined: Sep 2011
Might be php version problem the error log will say a fatal error if you have white screen of death
Posts: 76
Threads: 7
Joined: Jun 2015
Do you know which PHP version you are running on, I used a short array declaration "[]" in the plugin, if your PHP version doesn't support that it could possibly cause the errors you are having.
Posts: 12
Threads: 2
Joined: Apr 2014
2016-04-15, 12:33:54
(This post was last modified: 2016-04-15, 12:35:07 by mengi.)
I am receiving the same thing. I activate the plugin and site goes blank.
Turned on debugging and got this:
Code: Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56
Running PHP 5.3
Posts: 76
Threads: 7
Joined: Jun 2015
(2016-04-15, 12:33:54)mengi Wrote: I am receiving the same thing. I activate the plugin and site goes blank.
Turned on debugging and got this:
Code: Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56
Running PHP 5.3
This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".
Upgrade your PHP version.
Posts: 3,491
Threads: 106
Joined: Mar 2010
(2016-04-21, 18:33:02)HelgeSverre Wrote: This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".
Upgrade your PHP version.
If you just changed that line to $html = array(); your plugin would be compatible with PHP 5.2, which, by the way, is the minimum required by GS.
There are many many hosts using PHP 5.3 (and quite a lot with 5.2)
|