[rt-users] Security risk! Passwords can be compromised!

Andreas Heinlein aheinlein at gmx.com
Tue Feb 3 10:25:04 EST 2009


Dave Sherohman schrieb:
> On Tue, Feb 03, 2009 at 01:55:41PM +0100, Andreas Heinlein wrote:
>   
>> Dave Sherohman schrieb:
>>     
>>> I can't say that I find the latter point particularly relevant, as many
>>> users are in the habit of re-using passwords across multiple sites.
>>>
>>> If I, as an RT admin, have access to my RT users' passwords, then that
>>> may not present any risk to the security of my RT installation (as
>>> admin, I have full access anyhow), but it does potentially place those
>>> users' email accounts, bank accounts, etc. at risk if they use the same
>>> passwords on those sites as they do on my RT install.
>>>   
>>>       
>> If such people want to find out users passwords in order to try them out
>> elsewhere, they could just remove the cloaking of passwords from the RT
>> source, or sniff the http packets (or set up a man-in-the-middle-attack
>> if RT is using HTTPS), or design their own login page that writes down
>> the passwords before passing them to RT, or...
>>     
>
> Fair point, but I still see a significant difference between "turn on
> this switch and we'll hand you the passwords in a log file" and the
> various methods you mention, any of which would require some degree of
> skill and/or effort to implement. 
aptitude install dsniff
dsniff -i eth0 > passwords.txt

That's it, basically ;-)
(when run on the RT server)

Bye,
Andreas



More information about the rt-users mailing list