Edgewall Software
Modify

Opened 17 years ago

Closed 17 years ago

#6621 closed defect (wontfix)

About Trac - the password displayed as plain text

Reported by: dawid@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: devel
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Site About Trac display all configuration options, inclusive the password, for example:

  • smtp_user
  • smtp_password

This could be serious security problem, especially for companies hosts Trac for others.

Attachments (0)

Change History (7)

comment:1 by Emmanuel Blot, 17 years ago

These settings only appear to users that own TRAC_ADMIN priviledges.

Maybe all passwords could be replaced with joker chars, though…

comment:2 by anonymous, 17 years ago

The password should be hashed.

comment:3 by trac@…, 17 years ago

I don't think the passwords can be hashed, since they have to be supplied to the SMTP server in plain text.

in reply to:  3 comment:4 by anonymous, 17 years ago

Replying to trac@brucec.net:

I don't think the passwords can be hashed, since they have to be supplied to the SMTP server in plain text.

Hashed when rendered in the About page, obviously.

comment:5 by evantdster@…, 17 years ago

I don't see this as a bug. If you're an admin, you have the permissions to see the smtp password. If you don't want someone to see it, don't give them admin rights.

comment:6 by osimons, 17 years ago

Also, you can disable the 'About' module - then it won't be active, and it won't show anywhere. Handy if your project admins use webadmin only:

[components]
trac.about.* = disabled

If you are worried about you project admins and what they might do to your information, you should do this and more to tigthen security. At least disable the Plugins admin page that allows an admin to upload a new plugin and execute code - it will be a 5 line plugin to fetch that email password (and much more), and a hashed display under 'About' would then be a bit meaningless by providing a false sense of security for the default Trac setup.

If you are hosting Trac for others, you need to tigthen security no matter what.

comment:7 by Christian Boos, 17 years ago

Milestone: 0.11
Resolution: wontfix
Status: newclosed

So, wontfix I guess, for the reasons exposed above.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.