Hi Christian, Passwords are removed from log files using filtered_parameter_logging parameter. This is feature is applied in the code see the line in login_controller.rb<http://dev.eclipse.org/viewcvs/index.cgi/org.eclipse.epf/epfwiki/source/app/controllers/login_controller.rb?revision=1.13&root=Technology_Project&view=markup> filter_parameter_logging :password, :password_confirmation
Passwords are not stored anywhere. Only a 'hash' of the password is saved to the database together with the account details (name, email). As a consequence it is not possible to recover or resend a lost password. If you look for example at http://epf.eclipse.org/login/lost_password you will notice that you have to provide a new password. The new password will only become active after it is confirmed using the confirmation link in the email that will be send when the form is submitted. I don't know of any other known security issues. Currently there are no issues in Eclipse Bugs regarding security. Best Regards, Onno On Tue, Mar 16, 2010 at 11:45 AM, <[email protected]> wrote: > Hi There, > > I’am charged with finding out if there are any known security issues within > the epf wiki? Are there logs with personal data, and if so, for how long are > they held ready by default? How are the registered users are stored and > especially how is the login password stored? Would be nice if someone could > help me out. > > > > With kind regards > > > > Christian Kopietz > > > > Bachelor of Computer Science > > IT-Infrastructure & Applications > > > > -- > > Innovations Software Technology GmbH > > Bosch Group > > Ziegelei 7, 88090 Immenstaad/GERMANY > > Tel. +49 7545 202-251 > > Fax +49 7545 202-301 > > mailto:[email protected] <[email protected]> > > www.innovations.de > > > > Executives: Achim Berger, Thomas Cotic, Thomas Schmid > > Register Court Ulm HRB 631888 > > This message may contain confidential and privileged information. Any > unauthorized review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please inform us immediately and destroy > this message including all copies thereof. > > > > _______________________________________________ > epf-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/epf-dev > >
_______________________________________________ epf-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/epf-dev
