[rt-users] Wide character in crypt generates stack trace with password revealed

Ruslan Zakirov ruslan.zakirov at gmail.com
Tue Apr 20 07:51:09 EDT 2010


Hello Martin,

1) There is warning in the config regarding using stack traces and how
it can reveal secure information.
2) This particular problem has been solved in RT 3.8.8 RC2.

2010/4/20 Martin Drasar <drasar at ics.muni.cz>:
> Hi everyone,
> when logging into RT having czech keyboard accidentaly set, wide
> characters may be accidentally supplied to the password routine. (Czech
> keyboard have letters with wedges in the same row as numbers).
> This causes error shown in attached page, revealing password to
> bystanders as well as needlessly showing RT path.
>
> I am providing a quick patch that catches the exception generated by
> crypt and makes RT behave like ordinary bad password was provided.
>
> Martin
>
> --
> Mgr. Martin Drasar                                   drasar at ics.muni.cz
> Network Security Department                         http://ics.muni.cz/
> CSIRT-MU                                       http://www.muni.cz/csirt
> Institute of Computer Science, Masaryk University, Brno, Czech Republic
>                       PGP Key ID: 0x944BC925
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>



-- 
Best regards, Ruslan.



More information about the rt-users mailing list