[rt-users] Security risk! Passwords can be compromised!
Dave Sherohman
dave at sherohman.org
Tue Feb 3 05:53:16 EST 2009
On Mon, Feb 02, 2009 at 06:16:38PM -0500, Jesse Vincent wrote:
> Thankfully, at first glance, it looks like the issue you've run into
> isn't particularly dangerous. RT ships with stack trace logging
> disabled and _generally_ the folks who have access to application logs
> are also the folks who manage the application.
I can't say that I find the latter point particularly relevant, as many
users are in the habit of re-using passwords across multiple sites.
If I, as an RT admin, have access to my RT users' passwords, then that
may not present any risk to the security of my RT installation (as
admin, I have full access anyhow), but it does potentially place those
users' email accounts, bank accounts, etc. at risk if they use the same
passwords on those sites as they do on my RT install.
This isn't a serious issue for me personally (I use unique passwords for
each site where I care about security and I don't currently use any RTs
other than my own), but it is definitely significant in the larger
scheme of things due to the risk it presents to users who choose to
maintain a smaller collection of passwords.
--
Dave Sherohman
NomadNet, Inc.
http://nomadnetinc.com/
More information about the rt-users
mailing list