| Issue 52: | SECURITY PATCH Show action shows user password hash. | |
| 1 person starred this issue and may be notified of changes. | Back to list |
What steps will reproduce the problem? 1. Login with an administrator account. 2. Put /show/1 as the action and id. What is the expected output? What do you see instead? I don't think passwords should be shown to who doesn't have the database password, I think it should be nothing. The password hash is shown, now its encrypted. What version of the product are you using? On what operating system? trunk. Ubuntu 7.04 Please provide any additional information below. Easy, it's not the end of the world here. If you can login as an administrator you can change other people passwords, but I think that nobody not even the owner of its own account should be able to see password hashes. ONLY who has access to the hashes repository should be able to do that, in that case the database owner. Follows a patch commenting out the action, until someone decide if agrees with that and if the view should be changed/deleted or whatever.
Apr 8, 2008
Project Member
#1
subim...@gmail.com
Status:
Fixed
|