Unsecure passwords for eQSL

2 posts / 0 new
Last post
OE6PAD
Unsecure passwords for eQSL

Hi,

It seems CQRLOG forces to choose unsafe passwords for eQSL. The password field in the settings only allows passwords with a lenght of 8 and only digits and numbers. The field seems to accept special characters like $%_&, but the password (e.g. like %24_dhj8) will not work. There be an error message, when you try to upload your log.

I think, today you should use longer passwords and use special charchters too. Maybe you think nobody will ever hack a trash-site like eQSL and you are probably right with that. But your programm seems to be well made and that does not fit.

Thanks,
Andy OE6PAD

oh1kh
Unsecure passwords for eQSL

HI Andy!

How you think eQSL password can only be 8 characters long? Cqrlog does not limit that (does eQSL itself?).

Just typed long number string to preferences/eQSL password. You see there just dots and when the space gets filled you do not see that it is scrolling to left.
After closing preferences I did NeWQSO/File/Open or create new log/utils/configuration/export to file /tmp/test.ini
Then opened it with text editor and there was:
eQSLName=oh1kh
eQSLPass=1234567890123456789012345678901234567890

So at least 40 characters was saved. Then started cqrlog with debug=1 parameter from command console and tried to get eQSL import.

Debug results:
Sending: fmv

Sending: fmv

(removed the beginning http.... so that forum does make this as a link)
UserName=oh1kh&Password=1234567890123456789012345678901234567890&QTHNickname=home&RcvdSince=20191206
Sending: fmv

So those 40 characters passed as my password to eQSL.

As you can see from debug text the character "&" is used as delimiter in https post request and so it can not be a part of password.
Same way html code has also some other reserved characters like "%" and "#" (see: https://www.w3schools.com/html/html_entities.asp )

If login and data fetch from eQSL would use something else than html post request these special characters could be used as part of passwords.
Now they can not, and that is not cqrlog issue.

--
Saku
OH1KH