[rt-users] Security risk! Passwords can be compromised!

Graeme Fowler G.E.Fowler at lboro.ac.uk
Tue Feb 3 09:23:26 EST 2009


Akash wrote:
> Well, the point is that it is wrong for anyone (even the admin) to know the
> passwords of any user "in the clear" just by looking at the log files.
> (How someone can obtain the passwords is a different matter.)

I disagree. On rare occasions, characters *within* a password can cause 
problems - especially in systems where there are proxies or other 
handlers such as FastCGI or mod_perl2 which can exert their own 
translations to the data they handle. It's always useful, in that event, 
to be able to switch the debug level up and see what data the 
application is processing.

I've seen several system problems in the past caused by poor, limited or 
non-existent escaping of characters in passwords which get translated 
into something else by the processing system. Think UTF-8 to other 
charset conversions, for example.

It shouldn't be the normal mode of operation, but a high level of debug 
info is always a useful tool to have.

Graeme
-- 
Graeme Fowler
Team Manager, Internet Services and Software Solutions, IT Services
Loughborough University, UK
T: +44 1509 226014                        E: G.E.Fowler at lboro.ac.uk




More information about the rt-users mailing list