Security: Plain text password storage in Registration entity

[tomaioo]

Summary

Security: Plain text password storage in Registration entity

Problem

Severity: High | File: lib/Db/Registration.php:L29

The Registration entity (lib/Db/Registration.php) stores passwords in plain text. The password field is defined as a string type with no hashing applied before storage. While this is for pending registrations that haven't been created as users yet, storing plain text passwords temporarily in the database is a security concern.

Solution

Consider hashing passwords before storing them in the registration table, or ensure the password is only stored temporarily and never logged or exposed.

Changes

• lib/Db/Registration.php (modified)

[tcitworld]

Passwords are encrypted before being stored:

registration/lib/Service/RegistrationService.php

Lines 81 to 82 in 95e4600

	$password = $this->crypto->encrypt($password);
	$registration->setPassword($password);

We can't save just the hash because the password is then decrypted and used to create the actual account:

registration/lib/Service/RegistrationService.php

Line 272 in 95e4600

$password = $this->crypto->decrypt($registration->getPassword());

registration/lib/Service/RegistrationService.php

Line 302 in 95e4600

$user = $this->userManager->createUser($loginName, $password);