Thomas Goirand <tho...@goirand.fr> writes: > On 02/21/2011 06:07 AM, Ansgar Burchardt wrote: >> dtc stores user passwords unencrypted in the database: >> >> $q = "INSERT INTO $pro_mysql_new_admin_table >> (reqadm_login, >> reqadm_pass, >> [...] >> VALUES('".$_REQUEST["reqadm_login"]."', >> '".$_REQUEST["reqadm_pass"]."', >> >> (from client/new_account_form.php) >> >> This can be verified by executing "SELECT * FROM admin" in dtc's MySQL >> database which shows the administrator password after installation. >> >> dtc also stores passwords for various servives (FTP, ...). I have not >> looked if passwords are hashed there. >> >> The code in unstable (dtc/0.32.5-1) seems to have the same problems. > > Can you reasonably believe that if someone access your DTC database, > then having the password encrypted saves you from the issue? Seriously, > if someone has access to the database, you are simply dead. I don't > think having password encrypted helps here.
Yes. He could have gained read-only access or just access to an offline copy (for example a backup copy). Also many people reuse passwords (yes, it's a bad idea, but people do), so this would allow compromise of further systems. > Again, it's nice to report, but I don't think this deserves "grave" for > which we have the following definition: > > "makes the package in question unusable by most or all users, or causes > data loss, or introduces a security hole allowing access to the accounts > of users who use the package." Weak password hashing is already seen as a security issue, cf. #610850. I guess no hashing at all is worse... Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org