Scott Classen writes: > I'm not sure if this is truly a vulnerability, but I thought I'd put > it out there for discussion. > (...) > When I back up the bdb database via slapcat -l backup.ldif the > userPassword field looks to be Base64 hashed. > (...) > but the passwd history leaves the passwd hashes visible.
If you can get at the base64 representation, you can also base64-decode it. However if a userPassword contains a plaintext password and is not base64-encoded, you can then accidentally display the password for others to see. I think that's why userPassword is displayed in base64. I don't remember if pwdHistory can contain a currently active password? Otherwise it doesn't seem much of a problem. But this reminds me - there are also back-config attributes which contain passwords, in particular olcRootPW. I'm not sure that is a problem though. Hopefully people are more careful with who is looking when they are playing with cn=config, in particular if they have plaintext passwords there. And base64-encoding it could frustrate people who _want_ to read it. I don't know whether the best approach is to base64 those attributes or leave them alone. -- Regards, Hallvard
