PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001700PacketFencesecuritypublic2013-08-23 05:202014-05-29 11:45
Reporterolive35 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0001700: Mysql password and user passwords
DescriptionHi,

Here is my problem ... I see all password in clear text on my server.

In PF configuration : /usr/local/pf/conf/pf.conf
We can find the password of the MySQL database (ie pass=p@...).

I connect to the DB with this password.

Now i can see all the tables used in PF. And i can see all user passwords
in table 'temporary_password'.
Next i try to change the admin password in the DB and it works !

This is a security issue ? How to remedy this problem and replace passwords
by hashes ?

Regards,

Olive

PS : I already talk about this issue on the user mailing list
Steps To Reproduce
Additional InformationHere commands i used (non root) :
*
grep -E '(pass(word)?=).*' -nR --color /usr/local/pf/conf/

mysql -u pf -pp@... pf

SHOW TABLES;

SELECT * from temporary_password;

UPDATE temporary_password SET password='123456' WHERE pid='admin';*

and connect to the admin web interface.
TagsNo tags attached.
Relationships
Attached Fileshtml 1.html (410) 2014-05-29 11:45
https://www.packetfence.org/bugs/file_download.php?file_id=210&type=bug
Issue History
Date ModifiedUsernameFieldChange
2013-08-23 05:20olive35New Issue
2013-08-23 05:24olive35Note Added: 0003428
2014-05-29 11:45tyh73bacFile Added: 1.html

Notes
(0003428)
olive35   
2013-08-23 05:24   
http://sourceforge.net/mailarchive/forum.php?thread_name=D60720A8-6946-416F-8A16-BEA039DC82CD%40inverse.ca&forum_name=packetfence-users [^]