Bug 955960

Summary:	phpBB password encryption (or lack thereof) should not be reversible.
Product:	Websites	Reporter:	Mr. Beedell, Roke Julian Lockhart <qmhp3k8q>
Component:	Forums	Assignee:	Forum Moderators <forum-mods>
Status:	RESOLVED DUPLICATE
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	An Example E-Mail, With Password Obscured

Description Mr. Beedell, Roke Julian Lockhart 2025-05-14 17:51:51 UTC

Created attachment 928822 [details]
An Example E-Mail, With Password Obscured

Vulnerability:

:	According to answers like https://law.stackexchange.com/a/64734/59204 [^1] and my own comprehension of current best practices and their accompanying law, I believe that the phpBB instance either storing passwords in plain text, or using reversible encryption, should be remediated. Per https://security.stackexchange.com/a/7122/217497, [^2] mailing my password back to me upon registration at https://forums.gentoo.org/profile.php?mode=register&agreed=true#form1:~:text=Forums%20Forum%20Index-,Registration,-Information is unanimously considered malpractice.

	If this should have instead been filed at https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security, please transfer it there. Otherwise, I'll do so, if I've the permission to. I'm unfamiliar with this BZ instance, so I apologise if so.

Citations:

:	[^1]: https://law.stackexchange.com/revisions/64734/1#content:~:text=GDPR%20regulations%20on%20the%20whole,civil%20suit%20against%20the%20organisation.

	[^2]: https://security.stackexchange.com/revisions/7122/1#content:~:text=contact%20the%20website%20and%20try%20and%20explain%20them%20how%20bad%20of%20an%20idea%20and%20practice%20it%20is%20to%20store%20(and%20email)%20passwords%20in%20plain%20text.

Comment 1 Sam James archtester

2025-05-14 18:20:47 UTC

It needs the forums software upgraded.

*** This bug has been marked as a duplicate of bug 761073 ***