0001700: Mysql password and user passwords - PacketFence

Bug Tracking System

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0001700

PacketFence

security

public

2013-08-23 05:20

2014-05-29 11:45

Reporter

olive35

Assigned To

Priority

normal

Severity

minor

Reproducibility

always

Status

new

Resolution

open

Platform

OS Version

Product Version

Target Version

Fixed in Version

Summary

0001700: Mysql password and user passwords

Description

Hi,

Here is my problem ... I see all password in clear text on my server.

In PF configuration : /usr/local/pf/conf/pf.conf
We can find the password of the MySQL database (ie pass=p@...).

I connect to the DB with this password.

Now i can see all the tables used in PF. And i can see all user passwords
in table 'temporary_password'.
Next i try to change the admin password in the DB and it works !

This is a security issue ? How to remedy this problem and replace passwords
by hashes ?

Regards,

Olive

PS : I already talk about this issue on the user mailing list

Additional Information

Here commands i used (non root) :
*
grep -E '(pass(word)?=).*' -nR --color /usr/local/pf/conf/

mysql -u pf -pp@... pf

SHOW TABLES;

SELECT * from temporary_password;

UPDATE temporary_password SET password='123456' WHERE pid='admin';*

and connect to the admin web interface.

Tags

No tags attached.

fixed in git revision

fixed in mtn revision

Attached Files

1.html [^] (410 bytes) 2014-05-29 11:45

Relationships

Notes
(0003428) olive35 (reporter) 2013-08-23 05:24	http://sourceforge.net/mailarchive/forum.php?thread_name=D60720A8-6946-416F-8A16-BEA039DC82CD%40inverse.ca&forum_name=packetfence-users [^]

Issue History
Date Modified	Username	Field	Change
2013-08-23 05:20	olive35	New Issue
2013-08-23 05:24	olive35	Note Added: 0003428
2014-05-29 11:45	tyh73bac	File Added: 1.html