Password Hashing Vulnerability in Memberpages 3.6.4 and below
Posted: Tue Sep 05, 2017 1:41 pm
Hi everybody!
After having read http://cynosureprime.blogspot.de/2017/0 ... posed.html, I had a look at the password hashing of Memberpages 3.6.4 and found that it is vulnerable to storing weak password hashes in cookies (besides a timing attack vulnerability). Therefore I have released Memberpages 3.6.5 which requires PHP ≥ 5.3.7 now.
All users are strongly advised to update to this version as soon as possible!
Note that I consider the plain-text password storage of Memberpages as vulnerability as well, but I do not have the time to fix that with regard to the password forgotten functionality. Consider to use Register_XH instead.
After having read http://cynosureprime.blogspot.de/2017/0 ... posed.html, I had a look at the password hashing of Memberpages 3.6.4 and found that it is vulnerable to storing weak password hashes in cookies (besides a timing attack vulnerability). Therefore I have released Memberpages 3.6.5 which requires PHP ≥ 5.3.7 now.
All users are strongly advised to update to this version as soon as possible!
Note that I consider the plain-text password storage of Memberpages as vulnerability as well, but I do not have the time to fix that with regard to the password forgotten functionality. Consider to use Register_XH instead.