On 02/21/2011 06:07 AM, Ansgar Burchardt wrote:
> Package: dtc-common
> Version: 0.29.17-1
> Severity: grave
> Tags: upstream security
>
> dtc stores user passwords unencrypted in the database:
>
> $q = "INSERT INTO $pro_mysql_new_admin_table
> (reqadm_login,
> reqadm_pass,
> [...]
> VALUES('".$_REQUEST["reqadm_login"]."',
> '".$_REQUEST["reqadm_pass"]."',
>
> (from client/new_account_form.php)
>
> This can be verified by executing "SELECT * FROM admin" in dtc's MySQL
> database which shows the administrator password after installation.
>
> dtc also stores passwords for various servives (FTP, ...). I have not
> looked if passwords are hashed there.
>
> The code in unstable (dtc/0.32.5-1) seems to have the same problems.
>
> Ansgar
Can you reasonably believe that if someone access your DTC database,
then having the password encrypted saves you from the issue? Seriously,
if someone has access to the database, you are simply dead. I don't
think having password encrypted helps here.
As you noted, many daemon are authenticating directly in the database,
using the clear text password thing. Switching to everything encrypted
would require to check that every single daemon accessing (a part of)
the DTC db can do so with encrypted password. This isn't trivial at all.
Again, it's nice to report, but I don't think this deserves "grave" for
which we have the following definition:
"makes the package in question unusable by most or all users, or causes
data loss, or introduces a security hole allowing access to the accounts
of users who use the package."
but rather severity important:
"a bug that does not undermine the usability of the whole package; for
example, a problem with a particular option or menu item."
Thomas
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
