About Add-on Passphrase Security

Announcements regarding Wesnoth and the Wesnoth Project.

Moderators: Forum Moderators, Developers

Post Reply
User avatar
shadowm
Site Administrator
Posts: 6469
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

About Add-on Passphrase Security

Post by shadowm » June 11th, 2015, 1:01 am

Content creators who have published user-made add-ons to the Wesnoth add-ons server are surely aware that we currently use a very primitive authentication mechanism that works on a per-add-on basis. An uploader-defined passphrase is provided in the add-on’s .pbl file and this is matched against the add-ons server’s records.

What is not necessarily obvious is that the passphrase is stored in clear text form not only on the client’s side, but also on the server. This means that any person with access to the server configuration can see every add-on’s passphrase in a human-readable format that makes it trivial for it to be stolen. Furthermore, it is also possible for add-ons to obtain add-on passphrases from the client and transmit them over the network. Because of this, we advise content uploaders to use unique passphrases for their content and never reuse an existing password that could grant a malicious party access to their systems or other sites. Also, in order to prevent vandalism, we suggest either using hard-to-guess passphrases, or leaving the passphrase field blank or omitting it altogether when first uploading an add-on so that the add-ons client will generate and save a random one instead.

People who suspect they may be using insecure passphrases for their add-ons should send a private message to the Forum Administrators group to request changing passphrases; or use the command-line add-ons client with the following parameters if possible, substituting the text within brackets and replacing 1.12.x with 1.13.x or 1.10.x if applicable:

Code: Select all

wesnoth_addon_manager -p 1.12.x --change-passphrase <Addon_Folder_Name> <old passphrase> <new passphrase>
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Elsewhere: shadowmBlogFollow me on Twitter

Post Reply