Re: [Assp-test] Web Interface security.

[Paul H. <du...@sh...>]

Paul Houlbrooke wrote:
> Fritz Borgstedt wrote:
>> ASSP development mailing list <ass...@li...>
>> schreibt:
>>> Password is no longer visible via View Source in Windows. However,
>>> when 
>>> changing the password a restart of the service is required for the 
>>> crypt() function to do it's thing. After changing the password, it is 
>>> still in plain text in the assp.cfg file. When I tried to login in
>>> with 
>>> the new password, it would not let me. Upon restarting the service,
>>> the 
>>> password in the config file updated to the encypted copy and I could 
>>> then again log in to the web interface.
>>
>> I was unsure after the report of marco if crypt() is working at all in
>> windows so i changed to a module.
>>
>> please test .9
>>
>> you need to install Crypt::Blowfish
> 
> Encryption was working fine. Only problem for me was changing the 
> password and having the plaintext get encrypted. It seemed as if the 
> crypt() function was not getting called when the password was changed.
> 
> In 14.9 the only way I can login now is to enter the encypted version of 
> the password. I erased the webAdminPassword in the config file, 
> restarted the service so it would recreate it, and entered the default 
> password, nospam4me. I could not login. Inputting 459{ߢ4á works.
> 

In addition, changing the password inside the GUI does not change the 
encrypted value in the config file.