Mithrandir wrote:
Before you call it paranoic and exaggarated, let me tell you a little story:
A site running with XOOPS 2.0.10 and autologin hack is hacked. How? Because of a hacker being able to construct a cookie that resembles the autologin cookie of an administrator. How did he do that? He used the password hash of the administrator, which he got from the database through an SQL injection hole in the XML-RPC interface. How did he get the password hash? He knew the username of the administrator.
So what is the solution to making sure this doesn't happen again? We first closed the hole in the XML-RPC interface, but is that enough? I don't think so. If another hole appears somewhere else in the core or in a module, we have the whole problem once again.
...
Sory but I disagree!
if somebody can read or write to sql because any reason, can find any user record; there is uid field used many times. It's not hard work to know any user's uid.
If you know uid, you can easyly locate this user's record in the db.
It's realy not necessary to know the user's login name.