[Enhancement Request] encrypt user/password in connections table

Status
Not open for further replies.
jcc

jcc

Member
I'm not really sure how concerned I should be about this, but I noticed that the user and password are stored in the <prefix>_fabrik_connections table in clear text.

It seems to me that those credentials would be of a more sensitive nature than those in <prefix>_users which are encrypted.

Certainly, <prefix>_users can use a one-way encryption where <prefix>_fabrik_connections would need to be decrypted as well, but any encryption would be better than none.
 
Fair comment.

I'm raising a github request on this. It'd probably have to wait till the next major update, as it'll need an update SQL to be run to encrypt existing passwords.

-- hugh
 
I'm not 100% convinced about this, although open to debate of course!

If someone gains access to your database to read/alter this information then aren't you pretty much compromised anyway?

The same argument could apply to why Joomla's config doesn't encrypt the database password and ftp account details.
 
OK. I'll debate it with you. :)

I'll grant you that if someone gets direct(ish) access to the database, you've lost a good chunk/all of the site. Certainly if someone gets some executable scripts on to your site, you have essentially lost control anyways.

Practically, if one can read the configuration.php file, one has the credentials to do most anything they want to the site database. Having the credentials in the connections table does not further compromise the site database.

However, I always keep sensitive data in a separate database. It is access to that database I would wish to make more difficult, especially if that database is behind my firewall. Providing internal credentials to external forces gives me the shivers.
 
However, I always keep sensitive data in a separate database. It is access to that database I would wish to make more difficult, especially if that database is behind my firewall. Providing internal credentials to external forces gives me the shivers.
Click to expand...
Ah ok well that is a very sound arguement, I was purely thinking of the default Joomla db and not external dbs.
 
Since Hugh already opened a github issue, should I close this thread or is it best left open as a reminder? Thanks!
 
hi i've updated the joomla3 branch at github with changes which should allow you to edit and save the connection - at which point its encrypted using Joomla's JCrypt class, and then hopefully decrypted before any connection is made to the database.
 
Status
Not open for further replies.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 66 (members: 3, guests: 63)
    Back
    Top