User passwords logged when LDAP misconfigured
Bug #1009262 reported by
Craig Miskell
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Son Nguyen | ||
1.7 |
Fix Released
|
Critical
|
Unassigned | ||
1.8 |
Fix Released
|
Critical
|
Unassigned | ||
1.9 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
When LDAP is misconfigured, for example pointing to a non-existent LDAP server, the stack trace in the webserver log reports the users password (redacted log snippet to be attached).
It is not a major bug, in that the information is only available to the server administrator under normal circumstances (unless log files are not locked down, which does happen sometimes), but it's still bad form and should be avoided if possible.
Mahara 1.6.0dev 2012051500 (according to lib/version.php). Running on Ubuntu 10.04 and Apache2.
CVE References
Changed in mahara: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in mahara: | |
milestone: | none → 1.10.0 |
status: | In Progress → Fix Committed |
importance: | Medium → High |
importance: | High → Critical |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Also discussed publicly at https:/ /mahara. org/interaction /forum/ topic.php? id=1727 - in that thread Nigel seemed to think it wasn't worth the hassle to filter them out, but maybe we should have another look.