Insecure password in POST request #2793

New Issue

OVERLORD · 2026-02-05T05:12:50+03:00

OVERLORD commented

2026-02-05 05:12:50 +03:00

Originally created by @KarelWintersky on GitHub (May 13, 2022).

Describe the Bug

Steps to Reproduce

Goto: https://demo.bookstackapp.com/login
Enter login & password
Click "Вход"

Expected Behaviour

Hashed or crypted password

Screenshots or Additional Context

No response

Browser Details

Any

Exact BookStack Version

22.04.2 (may be)

PHP Version

No response

Hosting Environment

Demo

Originally created by @KarelWintersky on GitHub (May 13, 2022). ### Describe the Bug ![изображение](https://user-images.githubusercontent.com/2164874/168266647-7ef9f197-66e9-437e-a571-ba409fdcad90.png) ### Steps to Reproduce Goto: https://demo.bookstackapp.com/login Enter login & password Click "Вход" ### Expected Behaviour Hashed or crypted password ### Screenshots or Additional Context _No response_ ### Browser Details Any ### Exact BookStack Version 22.04.2 (may be) ### PHP Version _No response_ ### Hosting Environment Demo

OVERLORD added the 🐛 Bug label 2026-02-05 05:12:50 +03:00

OVERLORD closed this issue

2026-02-05 05:12:51 +03:00

OVERLORD commented

2026-02-05 05:12:54 +03:00

@ssddanbrown commented on GitHub (May 13, 2022):

@KarelWintersky You may also need to report this one to google, since their login does the same.

Passwords are hashed in storage in BookStack. Hashing/encrypting client side doesn't really add much security, just adds complexity. Sure, it may slightly help in non-HTTPS cases, but it still won't protect access to the BookStack account and those cases are already open to a wider array of security concerns.

@ssddanbrown commented on GitHub (May 13, 2022): @KarelWintersky You may also need to report this one to google, since their login does the same. Passwords are hashed in storage in BookStack. Hashing/encrypting client side doesn't really add much security, just adds complexity. Sure, it may slightly help in non-HTTPS cases, but it still won't protect access to the BookStack account and those cases are already open to a wider array of security concerns.

OVERLORD commented

2026-02-05 05:12:58 +03:00

@KarelWintersky commented on GitHub (May 13, 2022):

You may also need to report this one to google,

appealing to the errors of a third-party resource cannot be an excuse

@KarelWintersky commented on GitHub (May 13, 2022): > You may also need to report this one to google, appealing to the errors of a third-party resource cannot be an excuse

OVERLORD commented

2026-02-05 05:13:10 +03:00

@ssddanbrown commented on GitHub (May 13, 2022):

@KarelWintersky Sure, It was a joke though, hence why I justified our existing methods in my comment above.
Happy to hear why we're insecure though if you believe this to be a legitimate vulnerability.

@ssddanbrown commented on GitHub (May 13, 2022): @KarelWintersky Sure, It was a joke though, hence why I justified our existing methods in my comment above. Happy to hear why we're insecure though if you believe this to be a legitimate vulnerability.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2793