Opened 17 years ago
Closed 17 years ago
#6621 closed defect (wontfix)
About Trac - the password displayed as plain text
Reported by: | Owned by: | Jonas Borgström | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | general | Version: | devel |
Severity: | normal | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Site About Trac display all configuration options, inclusive the password, for example:
- smtp_user
- smtp_password
This could be serious security problem, especially for companies hosts Trac for others.
Attachments (0)
Change History (7)
comment:1 by , 17 years ago
follow-up: 4 comment:3 by , 17 years ago
I don't think the passwords can be hashed, since they have to be supplied to the SMTP server in plain text.
comment:4 by , 17 years ago
Replying to trac@brucec.net:
I don't think the passwords can be hashed, since they have to be supplied to the SMTP server in plain text.
Hashed when rendered in the About
page, obviously.
comment:5 by , 17 years ago
I don't see this as a bug. If you're an admin, you have the permissions to see the smtp password. If you don't want someone to see it, don't give them admin rights.
comment:6 by , 17 years ago
Also, you can disable the 'About' module - then it won't be active, and it won't show anywhere. Handy if your project admins use webadmin only:
[components] trac.about.* = disabled
If you are worried about you project admins and what they might do to your information, you should do this and more to tigthen security. At least disable the Plugins admin page that allows an admin to upload a new plugin and execute code - it will be a 5 line plugin to fetch that email password (and much more), and a hashed display under 'About' would then be a bit meaningless by providing a false sense of security for the default Trac setup.
If you are hosting Trac for others, you need to tigthen security no matter what.
comment:7 by , 17 years ago
Milestone: | 0.11 |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
So, wontfix I guess, for the reasons exposed above.
These settings only appear to users that own
TRAC_ADMIN
priviledges.Maybe all passwords could be replaced with joker chars, though…