[Owncloud] Any application there (apart from Media) using the user's password ?
Robin Appelman
icewind at owncloud.com
Tue Feb 5 23:26:22 UTC 2013
On Tuesday 05 February 2013 21:32:20 Antoine Diamant-Berger wrote:
> Hi all,
>
> I've noticed yesterday that the user's password was forwarded in plaintext
> to apps through the post_login and password_change hooks.
>
> This doesn't seem to me a safe practice, and would like to propose a change
> in the 2 Hooks API to "correct" that.
>
> Before working on a technical solution, I'd like to know what other
> applications use the password as provided, and their exact needs for it.
>
> So far, the Media application has been identified, which uses an SHA256
> hash. Any other ?
Even if we change that hook, there is nothing stopping any app from just
reading the value from $_POST.
There is very little we can do to stop malicious 3rd party apps, php just
lacks the sandboxing abilities to do that.
- Robin Appelman
More information about the Owncloud
mailing list