[Dbmail-dev] [DBMail 0000466]: Passwords are stored in clear [serious security flaw]

Sun, 3 Dec 2006 20:09:08 +0100 (CET) 

The following issue has been CLOSED 
====================================================================== 
http://www.dbmail.org/mantis/view.php?id=466 
====================================================================== 
Reported By:                haydude
Assigned To:                
====================================================================== 
Project:                    DBMail
Issue ID:                   466
Category:                   Authentication layer
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     closed
target:                      
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             03-Dec-06 19:52 CET
Last Modified:              03-Dec-06 20:09 CET
====================================================================== 
Summary:                    Passwords are stored in clear [serious security
flaw]
Description: 
First of all, many thanks to the authors for this great package. This is
just what was necessary to build a resielient mail system. The fact that I
am reporting this issue is an indication that I intend to adopt it and
support its development.

Here is the issue:

The users' passwords are stored in clear in the database.
These should be stored using one way encryption, because storing them in
clear represents a serious security flaw.
====================================================================== 

---------------------------------------------------------------------- 
 aaron - 03-Dec-06 20:09  
---------------------------------------------------------------------- 
RTFM: you can change the password encoding with the -p option to
dbmail-users.

[snipped from output of dbmail-users -h]

Summary of options for all modes:
     -w passwd specify user's password on the command line
     -W [file] read from a file or prompt for a user's password
     -p pwtype password type may be one of the following:
               plaintext, crypt, md5-hash, md5-digest, md5-base64
               each type may be given a '-raw' suffix to indicate
               that the password argument has already been encoded.
     -P [file] pull encrypted password from the shadow file 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
03-Dec-06 19:52 haydude        New Issue                                    
03-Dec-06 20:09 aaron          Status                   new => closed       
03-Dec-06 20:09 aaron          Note Added: 0001643                          
======================================================================

Reply via email to