About Trac - the password displayed as plain text

[dawid@…]

Site About Trac display all configuration options, inclusive the password, for example:

• smtp_user
• smtp_password

This could be serious security problem, especially for companies hosts Trac for others.

[Emmanuel Blot]

These settings only appear to users that own TRAC_ADMIN priviledges.

Maybe all passwords could be replaced with joker chars, though…

[anonymous]

The password should be hashed.

[trac@…]

I don't think the passwords can be hashed, since they have to be supplied to the SMTP server in plain text.

[anonymous]

Replying to trac@brucec.net:

I don't think the passwords can be hashed, since they have to be supplied to the SMTP server in plain text.

Hashed when rendered in the About page, obviously.

[evantdster@…]

I don't see this as a bug. If you're an admin, you have the permissions to see the smtp password. If you don't want someone to see it, don't give them admin rights.

[osimons]

Also, you can disable the 'About' module - then it won't be active, and it won't show anywhere. Handy if your project admins use webadmin only:

[components]
trac.about.* = disabled

If you are worried about you project admins and what they might do to your information, you should do this and more to tigthen security. At least disable the Plugins admin page that allows an admin to upload a new plugin and execute code - it will be a 5 line plugin to fetch that email password (and much more), and a hashed display under 'About' would then be a bit meaningless by providing a false sense of security for the default Trac setup.

If you are hosting Trac for others, you need to tigthen security no matter what.

[Christian Boos]

So, wontfix I guess, for the reasons exposed above.