Thomas Goirand <tho...@goirand.fr> writes:
> On 02/21/2011 06:07 AM, Ansgar Burchardt wrote:
>> dtc stores user passwords unencrypted in the database:
>>
>> $q = "INSERT INTO $pro_mysql_new_admin_table
>> (reqadm_login,
>> reqadm_pass,
>> [...]
>> VALUES('".$_REQUEST["reqadm_login"]."',
>> '".$_REQUEST["reqadm_pass"]."',
>>
>> (from client/new_account_form.php)
>>
>> This can be verified by executing "SELECT * FROM admin" in dtc's MySQL
>> database which shows the administrator password after installation.
>>
>> dtc also stores passwords for various servives (FTP, ...). I have not
>> looked if passwords are hashed there.
>>
>> The code in unstable (dtc/0.32.5-1) seems to have the same problems.
>
> Can you reasonably believe that if someone access your DTC database,
> then having the password encrypted saves you from the issue? Seriously,
> if someone has access to the database, you are simply dead. I don't
> think having password encrypted helps here.
Yes. He could have gained read-only access or just access to an offline
copy (for example a backup copy). Also many people reuse passwords
(yes, it's a bad idea, but people do), so this would allow compromise of
further systems.
> Again, it's nice to report, but I don't think this deserves "grave" for
> which we have the following definition:
>
> "makes the package in question unusable by most or all users, or causes
> data loss, or introduces a security hole allowing access to the accounts
> of users who use the package."
Weak password hashing is already seen as a security issue, cf. #610850.
I guess no hashing at all is worse...
Regards,
Ansgar
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
