PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001700PacketFencesecuritypublic2013-08-23 05:202014-05-29 11:45
Reporterolive35 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0001700: Mysql password and user passwords
DescriptionHi,

Here is my problem ... I see all password in clear text on my server.

In PF configuration : /usr/local/pf/conf/pf.conf
We can find the password of the MySQL database (ie pass=p@...).

I connect to the DB with this password.

Now i can see all the tables used in PF. And i can see all user passwords
in table 'temporary_password'.
Next i try to change the admin password in the DB and it works !

This is a security issue ? How to remedy this problem and replace passwords
by hashes ?

Regards,

Olive

PS : I already talk about this issue on the user mailing list
Additional InformationHere commands i used (non root) :
*
grep -E '(pass(word)?=).*' -nR --color /usr/local/pf/conf/

mysql -u pf -pp@... pf

SHOW TABLES;

SELECT * from temporary_password;

UPDATE temporary_password SET password='123456' WHERE pid='admin';*

and connect to the admin web interface.
TagsNo tags attached.
fixed in git revision
fixed in mtn revision
Attached Fileshtml file icon 1.html [^] (410 bytes) 2014-05-29 11:45

- Relationships

-  Notes
(0003428)
olive35 (reporter)
2013-08-23 05:24

http://sourceforge.net/mailarchive/forum.php?thread_name=D60720A8-6946-416F-8A16-BEA039DC82CD%40inverse.ca&forum_name=packetfence-users [^]

- Issue History
Date Modified Username Field Change
2013-08-23 05:20 olive35 New Issue
2013-08-23 05:24 olive35 Note Added: 0003428
2014-05-29 11:45 tyh73bac File Added: 1.html


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker