Forums (Obsolete)

Member

al.lx-orange - 2/28/2012 4:43:38 AM

cleartext submission of password

hello
firs sorry for my english ...
i just begin in a new place and my manager ask me to resolve a problem about security.
the kentico site has been checked and the result of that is following :
"
the cleartext submission of a password was located on this website. The Kentico CMS login page was located and it was found taht the password submission is sent in the clear".
Can somebody explain me how i could do to resolve that ? Use an encryption for the password ? or is there just a simple parameter to invoke in the site manager .. or other ?
Thank you to eveyone could help me
Alain


Kentico Support	kentico_jurajo - 2/28/2012 4:55:57 AM RE:cleartext submission of password Hello, Could you please tell us where and how was this checked? also, could you please check your password settings? Best regards, Juraj Ondrus

Member

al.lx-orange - 2/29/2012 4:28:51 AM

RE:cleartext submission of password

hello Jurag
thank's for your answer.
first, the chek was made by a internal service of enterprise information security.
second, i have seen your link :
we have the kentico version 5 and the menu are a little different ...

then, We have the password format in SHA1 (but not "with salt")
and i saw that we haven't cheked the following parameter :
"use ssl for administration interface"
What do you dou think about that ?
Do you think we can resolve the proble ao the clear password only by cheked that option ?
Thank you very much for your help
Alain


Member	al.lx-orange - 2/29/2012 4:37:56 AM RE:cleartext submission of password sorry for the error at the end of my reply !!! i wanted say : Do you think we can resolve the probleM about the clear password only by cheking that option ? Sorry Alain


Kentico Support	kentico_jurajo - 2/29/2012 5:00:13 AM RE:cleartext submission of password Hi, But, you have not described the actual issue - or am I missing something? Could you please explain in detail - what and where is the issue? Any examples would be much appreciated. Best regards, Juraj Ondrus

Member

al.lx-orange - 2/29/2012 5:08:43 AM

RE:cleartext submission of password

ah .... sorry
in fact our problem is the following
we have an authentification page where a user must write his login and passsword to acces to our kentico site. And about this page, our service of entreprise information security has find a weakness(fault) of security because the password submission is sent in clear.
so my question is : how can we do for sent this password by a secure way ??
is that more clear for you ?
thank you


Kentico Support	kentico_jurajo - 2/29/2012 6:17:43 AM RE:cleartext submission of password Hi, Are you using SSL on the logon page? It is normal that the password is switched to the hash on the server side - so it is sent as a text. If you want to encrypt the communication, you need to use SSL as it is usual. Best regards, Juraj Ondrus

Member

al.lx-orange - 2/29/2012 8:24:38 AM

RE:cleartext submission of password

Ok and thank's !!
just for info, i just active the parameter" use ssl for administration page" and now, i can't acces to the CMS site manager any more !!
so i wanted to descactivate this option, but how can i acces to the cms environnement ? do i change something in iis ? or make a backup of my site for having the version befor my change ??
thank you

Kentico Support

kentico_jurajo - 2/29/2012 8:46:46 AM

RE:cleartext submission of password

Hi,

You should have setup the SSL on your server and IIS and install appropriate certificates.
Right now, you need to install the SSL or, you can turn that setting off by following below steps:

Please open your database, navigate to CMS_SettingsKey table, find “CMSUseSSLForAdministrationInterface” record and change “KeyValue” from “true” to “false”.

Best regards,
Juraj Ondrus


Member	al.lx-orange - 2/29/2012 8:58:36 AM RE:cleartext submission of password hello a very big "merci" for your help have a good end of day !! thank's again ;-)