How to improve security? Ostiket can be hacked!

gymamal

It seems that user credentials are sent /scp/login.php in clear text!

That means login details are not encrypted when they are transmitted!

So, A third party (hackers) may be able to read credentials by intercepting an unencrypted HTTP connection!

Is there a way to encrypt data while transmit? if can, How?

peter

I don't believe you can auto encrypt user inputs independent of the browser given that what you are referring to happens between browser (user entering the data) and the site (post). The only way to protect against such attack is to use certificates. i.e install osTicket in https instead of plain http.

gymamal

I don't believe you can auto encrypt user inputs independent of the browser given that what you are referring to happens between browser (user entering the data) and the site (post). The only way to protect against such attack is to use certificates. i.e install osTicket in https instead of plain http.

Hmm! That means my tiket system is Vulnerable to injecting or hacking!

openmtl

Hmm! That means my tiket system is Vulnerable to injecting or hacking

No, I disagree, for injection vulnerabilities it would mean that osTicket was not correctly escaping user inputs before using that input. AFAIKS where I have looked through the code whilst looking at bugs it escapes user inputs and so makes it rather hard to inject SQL (though I'm no expert). The last rc5 upgrade I think corrected one of the unescaped values. Quite possible that there is some more ways of tricking unescaped inputs into the SQL but some random ticket system doesn't seem to me to be as rewarding as say a banking site.

Plain old hacking would be if someone brute-forced the logons. How hard that is solely dependant upon your password complexity - the more complex then it just isn't reasonable to hack.

For sniffing the passwords then as Peter suggests - use SSL (https:). Man-in-the-middle attacks aside, someone sniffing SSL traffic will not get your passwords.

Many (nearly all ?) PHP logon scripts involve sending passwords in clear text in a POST method and the recommendation has always been that if you want to secure that POST then you must use HTTPS.

Finally, someone would probably get access to your systems through either,

a) attacking the host e.g. via PLESK or cPanel or they find some other account on a shared host that gets them to something useful like root so they can wander over your site (who here hasn't had a host with r57.txt shoved on it ?).

b) Todays favourite which is keylogging your PC and nothing of osTicket/.htaccess/SSL can stop that and that is why exploits involving keyloggers are so popular today.

Platinum

I agree with Peter, just use SSL and be done with it.

There's not a lot you can do about client-side vulnerabilities such as key-loggers, but as long as you ensure that logins are only done via https (ssl) then at least transmission between server and client is encrypted.

goldfigure

SSL is JFDI

Funny. I installed osTicket for the first time today and the first thing I did was create a self certified SSL certificate (free) to use on my support site. It throws up questions of trust but does ensure all traffic is encrypted. Easy, not sure why there would be confusion.

Incidentally @[deleted], Google, Hotmail, etc all use SSL but otherwise unencrypted text.

I don't believe you can auto encrypt user inputs independent of the browser given that what you are referring to happens between browser (user entering the data) and the site (post). The only way to protect against such attack is to use certificates. i.e install osTicket in https instead of plain http.

consumedsoul

Funny. I installed osTicket for the first time today and the first thing I did was create a self certified SSL certificate (free) to use on my support site. It throws up questions of trust but does ensure all traffic is encrypted. Easy, not sure why there would be confusion.
Incidentally @[deleted], Google, Hotmail, etc all use SSL but otherwise unencrypted text.

If I already installed osTicket is it too late to switch to SSL? (sorry, probably newb question)