[rt-users] Security risk! Passwords can be compromised!
Graeme Fowler
G.E.Fowler at lboro.ac.uk
Tue Feb 3 09:23:26 EST 2009
Akash wrote:
> Well, the point is that it is wrong for anyone (even the admin) to know the
> passwords of any user "in the clear" just by looking at the log files.
> (How someone can obtain the passwords is a different matter.)
I disagree. On rare occasions, characters *within* a password can cause
problems - especially in systems where there are proxies or other
handlers such as FastCGI or mod_perl2 which can exert their own
translations to the data they handle. It's always useful, in that event,
to be able to switch the debug level up and see what data the
application is processing.
I've seen several system problems in the past caused by poor, limited or
non-existent escaping of characters in passwords which get translated
into something else by the processing system. Think UTF-8 to other
charset conversions, for example.
It shouldn't be the normal mode of operation, but a high level of debug
info is always a useful tool to have.
Graeme
--
Graeme Fowler
Team Manager, Internet Services and Software Solutions, IT Services
Loughborough University, UK
T: +44 1509 226014 E: G.E.Fowler at lboro.ac.uk
More information about the rt-users
mailing list