On Mon, Feb 02, 2009 at 06:16:38PM -0500, Jesse Vincent wrote: > Thankfully, at first glance, it looks like the issue you've run into > isn't particularly dangerous. RT ships with stack trace logging > disabled and _generally_ the folks who have access to application logs > are also the folks who manage the application.
I can't say that I find the latter point particularly relevant, as many users are in the habit of re-using passwords across multiple sites. If I, as an RT admin, have access to my RT users' passwords, then that may not present any risk to the security of my RT installation (as admin, I have full access anyhow), but it does potentially place those users' email accounts, bank accounts, etc. at risk if they use the same passwords on those sites as they do on my RT install. This isn't a serious issue for me personally (I use unique passwords for each site where I care about security and I don't currently use any RTs other than my own), but it is definitely significant in the larger scheme of things due to the risk it presents to users who choose to maintain a smaller collection of passwords. -- Dave Sherohman NomadNet, Inc. http://nomadnetinc.com/ _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com