We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Does Oxwall store any of the FTP details provided in the database? | Forum

Topic location: Forum home » Support » General Questions
Aditya
Aditya Mar 15 '13
When installing plugins or platform updates, Oxwall prompts for FTP details. Are these stored in the database anywhere?
Aditya
Aditya Mar 17 '13
Yep, cookies is my guess also. Because like you described, subsequent updates/installs in the same browser session don't require giving passwords, but if you go back after some time, it will ask again for the FTP details.


I guess I'll have to go source diving to know for sure, however. I'll report back here when I get the time. It is BAD news if Oxwall is storing FTP password in the database at all. A session cookie is quite bad also, but bearable if the user is security conscious and cleans cookies.


Some of the readers might be getting ready to say "but if someone has access to your DB you are in bigger trouble"... I agree, but in certain shared hosting set ups there is possibility for greater harm.

Alia Team
Alia Mar 18 '13
FTP access details are not saved anywhere in the database. They are saved within the session. Session files  are temporarily ones and are deleted in 20-30 mins.
Aditya
Aditya Mar 18 '13
Hi Aliia, thanks for clarifying. I humbly would like to suggest that this "feature" is also scrapped. Browser cookies are one of the most frequently attacked pieces of data on user computers, and it is a super bad idea to store passwords in there! No matter how secure a browser is, new vulnerabilities are as guaranteed as the sun rising in the east.


Making the user type in the username and password for their FTP details is just a minor inconvenience. If the team is concerned about situations where multiple plugins need to be updated, I suggest an "update all" function that takes FTP creds one time and runs all available updates in one go.


I also suggest that a warning dialog box should appear in the browser above the FTP creds form, asking the user to use Chrome "incognito" or IE/Firefox "private browsing" till this is implemented. This way, cookies will be removed immediately upon browser close. 30 minutes is a painfully long time for passwords to exist unencrypted in a commonly targeted area.

Michael Anderson
Michael Anderson Mar 18 '13
Aditya, more and more security conscious shared hosting platforms store both mysql data and session data in both chroots and encrypted directories.  Yes, it's and PITA to set up, but good luck hacking someone else's account.  Unless you have their tokens, your hosed.
Aditya
Aditya Mar 19 '13
That's good to know Michael, can't hurt to be secure on our end too though, especially considering 'a lot' of hosts is not 'every host' :)
Alia Team
Alia Mar 20 '13
>> humbly would like to suggest that this "feature" is also scrapped. Browser cookies are one of the most frequently attacked pieces of data on user computers...

This is impossible.
Basically actual data is stored in the temp. session file on your server. Browser cookies save only session variable/ID and not actual info. So you are safe on this side.  And it is up to your server settings, when sessions are cleared.



Alia Team
Alia Mar 20 '13
Also, this scheme applies not only to the FTP access details, but to the whole site in general. User loges in to your site, session is created, cookies are saved. This increases site performance.
Aditya
Aditya Mar 20 '13
<blockquote>Basically actual data is stored in the temp. session file on your server.</blockquote>


Ah, indeed. My bad for forgetting basic session lessons =) Okay, that eases most of my apprehensions.


We now need to worry only about the server side temp session folder being exposed to other users on the same server, but this risk is significantly smaller compared to browser cookies.


I still say this is a needless feature, storing unencrypted passwords anywhere for any amount of time, all for a minor increase in convenience for users (which can actually be achieved in a more secure way like I suggested above). But hey, I don't have access to the source so all I can do is suggest.

Alia Team
Alia Mar 22 '13
>>But hey, I don't have access to the source so all I can do is suggest.

Aditya, when you download Oxwall you get full access to the source code. So feel free to modify the code the way you want to.
Aditya
Aditya Mar 22 '13
Correct. However, I cannot share these changes with the rest of the community. That said, I had a recent communication about this with the team and hence I'll quit whining about this.
Baby Nora
Baby Nora Aug 31 '23
When I install plugins or platform updates, there is no evidence to store the data from the survey blog storeopinion-ca.page for No Frills, Loblaws, and Atlantic Superstores. Storeopinion ca survey page is running to collect the customer's feedback about their store service. Storeopinion Survey is available on the Storeopinion-ca.page for Canadian customers with a 19 - 21 Survey Code. Win a $ 1,000 PC Gift Card by taking the Loblaws survey.