Package: dtc-common Version: 0.29.17-1 Severity: grave Tags: upstream security
dtc stores user passwords unencrypted in the database: $q = "INSERT INTO $pro_mysql_new_admin_table (reqadm_login, reqadm_pass, [...] VALUES('".$_REQUEST["reqadm_login"]."', '".$_REQUEST["reqadm_pass"]."', (from client/new_account_form.php) This can be verified by executing "SELECT * FROM admin" in dtc's MySQL database which shows the administrator password after installation. dtc also stores passwords for various servives (FTP, ...). I have not looked if passwords are hashed there. The code in unstable (dtc/0.32.5-1) seems to have the same problems. Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org