[rt-users] Security risk! Passwords can be compromised!

Jesse Vincent jesse at bestpractical.com
Mon Feb 2 18:16:38 EST 2009 

Akash,

Just as a general point of etiquette, it's customary to notify vendors
of security related issues privately before publicly announcing them.
Posting the details of security-related issues to a public mailinglist
without giving the folks who make a package to address a potential
vulnerability is irresponsible and potentially dangerous.

Thankfully, at first glance, it looks like the issue you've run into
isn't particularly dangerous.  RT ships with stack trace logging
disabled and _generally_ the folks who have access to application logs
are also the folks who manage the application.

I do believe that the issue you've noticed merits a note in the config
file that it's possible for sensitive data to get logged if that
function is enabled. I intend to make that change for RT 3.8.3, but
don't currently believe that this issue requires an accelerated release
schedule.

Best,

Jesse Vincent
Best Practical


On Mon  2.Feb'09 at 17:26:14 -0500, Akash wrote:
>    Hi all,
> 
>    When I enabled logging of stack traces, the user passwords are being
>    written in cleartext in the log files!
>    I enabled stack tracing by adding the the following line in
>    RT_SiteConfig.pm:
> 
>    Set($LogStackTraces, 4);
> 
>    Can somebody please fix this serious error so that passwords are
>    encrypted?  I am using RT 3.8.1 installed
>    from ports on a FreeBSD machine.  (Actually I think I got a patch from
>    someone in this mailing list.)  If
>    the error has been fixed in 3.8.2, please let me know.
> 
>    Also, if a 3.8.2 port is available, is it stable enough to update my 3.8.1
>    version?
> 
>    Thanks,
>    Akash.

> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> 
> 
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090202/e1740ac4/attachment.sig>

More information about the rt-users mailing list