Since I implemented authentication and started using TWikiRegistrationPub as the registration page (renamed to TWikiRegistration), the email sent to the webmaster every time a user registers includes the password.
Considering that this password might be used on other systems (which of course is a bad idea but does happen), this is quite a big security hole. Any hope of a quick fix for this?
I'm using the May 2000 release.
-- RichardDonkin - 06 Dec 2000
This has been reported before; has been fixed in the 01 Dec 2000 release (available, but not yet announced because of a pending web-hosting problem at SourceForge). Upgrade to the 01 Dec 2000 version or make the changes as described in RegistrationSendsPasswordToWebMaster . -- PeterThoeny - 06 Dec 2000
Thanks, I'll just patch the register program as documented in that link, since the upgrade to the Dec 2000 release seems like quite a bit of work and I've only just got this installation working! -- RichardDonkin - 07 Dec 2000
You can do an easy "upgrade" in case you did not create much content: Simply install the new TWiki version, then restore the few topics you created. -- PeterThoeny - 06 Dec 2000
I am now having the problem that people don't remember the password they used to register on TWiki. I therefore propose that ideally two separate emails get sent - once to the user with the password and once to the admin without the password! -- MartinCleaver - 15 Jun 2001
In RegisterCgiScriptRewrite I send separate emails, with the one to the admin derived from registernotifyadmin.tmpl and the one to the user remaining from registernotify.tmpl. The one to the user will contain the password if indicated by the flag, the admin one will always have it blanked out. Any problem with this? -- MartinCleaver - 04 Oct 2004 It is a bit unusual to send a password by email. How secure is emailing a password? And how is this perceived by the users? -- ArthurClemens - 04 Oct 2004 Well, it is still optional, as the flag still exists. I tend to find that the less frequently I am likely to visit a site the more likely the administrator will send me the password in the email, so it depends on application. ... has the current template. Note that BugSomeVariablesExpandedInVerbatim means that WIKIWEBMASTER is expanded even though the diff is enclosed in a verbatim. I can't show you the live registernotifyadmin.tmpl topic, but here's a static snaphot.
This has been reported before; has been fixed in the 01 Dec 2000 release (available, but not yet announced because of a pending web-hosting problem at SourceForge). Upgrade to the 01 Dec 2000 version or make the changes as described in RegistrationSendsPasswordToWebMaster . -- PeterThoeny - 06 Dec 2000
Thanks, I'll just patch the register program as documented in that link, since the upgrade to the Dec 2000 release seems like quite a bit of work and I've only just got this installation working! -- RichardDonkin - 07 Dec 2000
You can do an easy "upgrade" in case you did not create much content: Simply install the new TWiki version, then restore the few topics you created. -- PeterThoeny - 06 Dec 2000
I am now having the problem that people don't remember the password they used to register on TWiki. I therefore propose that ideally two separate emails get sent - once to the user with the password and once to the admin without the password! -- MartinCleaver - 15 Jun 2001
In RegisterCgiScriptRewrite I send separate emails, with the one to the admin derived from registernotifyadmin.tmpl and the one to the user remaining from registernotify.tmpl. The one to the user will contain the password if indicated by the flag, the admin one will always have it blanked out. Any problem with this? -- MartinCleaver - 04 Oct 2004 It is a bit unusual to send a password by email. How secure is emailing a password? And how is this perceived by the users? -- ArthurClemens - 04 Oct 2004 Well, it is still optional, as the flag still exists. I tend to find that the less frequently I am likely to visit a site the more likely the administrator will send me the password in the email, so it depends on application. ... has the current template. Note that BugSomeVariablesExpandedInVerbatim means that WIKIWEBMASTER is expanded even though the diff is enclosed in a verbatim. I can't show you the live registernotifyadmin.tmpl topic, but here's a static snaphot.
From: %WIKIWEBMASTER% To: %WIKIWEBMASTER% Subject: %WIKITOOLNAME% - Registration for %WIKINAME% (%EMAILADDRESS%) MIME-Version: 1.0 Content-Type: text/plain; charset=%CHARSET% Content-Transfer-Encoding: 7bit This is an automated email notification of user registration in %WIKITOOLNAME%. %WIKINAME% has been registered with email %EMAILADDRESS% Submitted content: %FORMDATA% Saved to: %SCRIPTURL%/view%SCRIPTSUFFIX%/%MAINWEB%/%WIKINAME%-- MartinCleaver - 04 Oct 2004
Topic revision: r8 - 2004-10-04 - MartinCleaver
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.