Your message dated Sat, 26 May 2012 00:41:09 +0800
with message-id <[email protected]>
and subject line done
has caused the Debian Bug report #614304,
regarding dtc-common: does store user passwords unhashed in the database
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
614304: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614304
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dtc-common
Version: 0.29.17-1
Severity: grave
Tags: upstream security
dtc stores user passwords unencrypted in the database:
$q = "INSERT INTO $pro_mysql_new_admin_table
(reqadm_login,
reqadm_pass,
[...]
VALUES('".$_REQUEST["reqadm_login"]."',
'".$_REQUEST["reqadm_pass"]."',
(from client/new_account_form.php)
This can be verified by executing "SELECT * FROM admin" in dtc's MySQL
database which shows the administrator password after installation.
dtc also stores passwords for various servives (FTP, ...). I have not
looked if passwords are hashed there.
The code in unstable (dtc/0.32.5-1) seems to have the same problems.
Ansgar
--- End Message ---
--- Begin Message ---
done
--- End Message ---
