On 03/23/2011 03:16 PM, Florian Heigl wrote:
Hi,
unhashed passwords for the admin accounts should leave no room for discussion.
I can't seem to understand how a product can be as focussed
on security as DTC (with sbox and such addons) and then neglect
best practices and deem the most basic level of security a "wishlist item".
There is no single reason that the admin user accounts should be saved
unexpectedly.
(Dealing with mass signups is an issue, but could be dealt with in much
saner ways than manually comparing passwords)
There's two worrying things in this bug report
a) DTC has unencrypted admin passwords
b) The issue is still open 4 weeks later because of different opinions
(and other priorities?)
Thomas, DTC is the most powerful panel around, but this single issue is so
great that I'd expect to be held liable by the customers in aftermath of a hack.
This isn't the optional type of security.
Greetings,
Florian
I'll be working on it when I have time. But instead of winning, it would
a lot more productive to send patches!
Thomas
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
