Dave Sherohman schrieb: > On Tue, Feb 03, 2009 at 01:55:41PM +0100, Andreas Heinlein wrote: > >> Dave Sherohman schrieb: >> >>> I can't say that I find the latter point particularly relevant, as many >>> users are in the habit of re-using passwords across multiple sites. >>> >>> If I, as an RT admin, have access to my RT users' passwords, then that >>> may not present any risk to the security of my RT installation (as >>> admin, I have full access anyhow), but it does potentially place those >>> users' email accounts, bank accounts, etc. at risk if they use the same >>> passwords on those sites as they do on my RT install. >>> >>> >> If such people want to find out users passwords in order to try them out >> elsewhere, they could just remove the cloaking of passwords from the RT >> source, or sniff the http packets (or set up a man-in-the-middle-attack >> if RT is using HTTPS), or design their own login page that writes down >> the passwords before passing them to RT, or... >> > > Fair point, but I still see a significant difference between "turn on > this switch and we'll hand you the passwords in a log file" and the > various methods you mention, any of which would require some degree of > skill and/or effort to implement. aptitude install dsniff dsniff -i eth0 > passwords.txt
That's it, basically ;-) (when run on the RT server) Bye, Andreas _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
