[rt-users] Security risk! Passwords can be compromised!
Jesse Vincent
jesse at bestpractical.com
Mon Feb 2 18:16:38 EST 2009
Akash,
Just as a general point of etiquette, it's customary to notify vendors
of security related issues privately before publicly announcing them.
Posting the details of security-related issues to a public mailinglist
without giving the folks who make a package to address a potential
vulnerability is irresponsible and potentially dangerous.
Thankfully, at first glance, it looks like the issue you've run into
isn't particularly dangerous. RT ships with stack trace logging
disabled and _generally_ the folks who have access to application logs
are also the folks who manage the application.
I do believe that the issue you've noticed merits a note in the config
file that it's possible for sensitive data to get logged if that
function is enabled. I intend to make that change for RT 3.8.3, but
don't currently believe that this issue requires an accelerated release
schedule.
Best,
Jesse Vincent
Best Practical
On Mon 2.Feb'09 at 17:26:14 -0500, Akash wrote:
> Hi all,
>
> When I enabled logging of stack traces, the user passwords are being
> written in cleartext in the log files!
> I enabled stack tracing by adding the the following line in
> RT_SiteConfig.pm:
>
> Set($LogStackTraces, 4);
>
> Can somebody please fix this serious error so that passwords are
> encrypted? I am using RT 3.8.1 installed
> from ports on a FreeBSD machine. (Actually I think I got a patch from
> someone in this mailing list.) If
> the error has been fixed in 3.8.2, please let me know.
>
> Also, if a 3.8.2 port is available, is it stable enough to update my 3.8.1
> version?
>
> Thanks,
> Akash.
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090202/e1740ac4/attachment.sig>
More information about the rt-users
mailing list