Dolibarr ERP & CRM » Bugs » bug #1818 Passwords in clear in llx_user tableDernières modifications
Répondre
État| Détails |
| Submitted by: | Cyril (tchap) | | Submitted on: | 01/02/2015 12:18 |
| Last Modified On: | 01/02/2015 16:52 | |
| Summary: | Passwords in clear in llx_user table |
| Description: | The "pass" column of the table "llx_user" contains all the user passwords in clear. It's a security problem since any user able to do an export can retreive all the passwords in plain text.
If the database is compromised (read-only), a third person can have access to all the passwords in plain text
Storing the passwords like that in the database has no use and pose a security threat as far as I can tell. |
| Step to reproduce bug: | |
| Detected in version: | 3.6.2 | | Category: | Security |
| Severity: | 5 - Major | | OS Type/Version: | Debian wheezy |
| PHP version: | PHP 5.4.36-0+deb7u3 | | Database type and version: | mysql Ver 14.14 Distrib 5.5.40 |
| Etat |
| Status: | Closed | | Assigned to: | Aucun |
| Resolution: | Wont Fix | |
Commentaires- Maxime Kohlhaas 10/03/2015 16:27
- Hi.
You have a possible configuration to encrypt passwords into database.
To do it, you need to go in Home > Setup > Security > Passwords and activate the option "Do no store clear passwords in database but store only encrypted value (Activated recommended)".
Regards,
|
|
You have a possible configuration to encrypt passwords into database.
To do it, you need to go in Home > Setup > Security > Passwords and activate the option "Do no store clear passwords in database but store only encrypted value (Activated recommended)".
Regards,
Open→ ClosedAucun→ Wont Fix