[rt-users] Security risk! Passwords can be compromised!

Raed El-Hames rfh at vialtus.com
Tue Feb 3 10:04:59 EST 2009


I would agree with Jesse input that the first email should have gone to 
best practical and not a mailing list, I would also agree with Jesse and 
a couple others that this is "not" a security risk ..
The fact that a sys admin can see a users password and then use it on 
bank accounts or anything else is a very scary thought, this sys admin 
may have access to far more sensitive systems such as finance or billing 
where he/she would be able to access far more information easier and 
quicker ...
I personally think its a bug that should be looked at, but its not a 
security risk.

Regards;
Roy

Dave Sherohman wrote:
> On Tue, Feb 03, 2009 at 01:55:41PM +0100, Andreas Heinlein wrote:
>   
>> Dave Sherohman schrieb:
>>     
>>> I can't say that I find the latter point particularly relevant, as many
>>> users are in the habit of re-using passwords across multiple sites.
>>>
>>> If I, as an RT admin, have access to my RT users' passwords, then that
>>> may not present any risk to the security of my RT installation (as
>>> admin, I have full access anyhow), but it does potentially place those
>>> users' email accounts, bank accounts, etc. at risk if they use the same
>>> passwords on those sites as they do on my RT install.
>>>
>>>       
>> If such people want to find out users passwords in order to try them out
>> elsewhere, they could just remove the cloaking of passwords from the RT
>> source, or sniff the http packets (or set up a man-in-the-middle-attack
>> if RT is using HTTPS), or design their own login page that writes down
>> the passwords before passing them to RT, or...
>>     
>
> Fair point, but I still see a significant difference between "turn on
> this switch and we'll hand you the passwords in a log file" and the
> various methods you mention, any of which would require some degree of
> skill and/or effort to implement.  Doubly so when the switch in question
> has other, legitimate, uses which can result in the admin accidentally
> making a plaintext record of the passwords without even realizing it.
>
> --
> Dave Sherohman
> NomadNet, Inc.
> http://nomadnetinc.com/
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>   




More information about the rt-users mailing list