Last Comment Bug 74032 - Password stored in plaintext on the MySQL Data Base.
: Password stored in plaintext on the MySQL Data Base.
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: unspecified
: x86 Linux
: -- normal (vote)
: Bugzilla 2.14
Assigned To: Myk Melez [:myk] [@mykmelez]
: default-qa
:
Mentors:
Depends on: 77473
Blocks:
  Show dependency treegraph
 
Reported: 2001-03-29 15:47 PST by Girino Vey!
Modified: 2012-12-18 20:46 PST (History)
0 users
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
docs patch about 'Bugzilla Database Tables' section, for 2.18 (1.06 KB, patch)
2006-03-05 02:03 PST, victory <never@receive.bug.mails.i.hate.spammer>
timeless: review-
Details | Diff | Splinter Review

Description Girino Vey! 2001-03-29 15:47:03 PST
System administrators at my site are concerned about my running bugzilla in one 
of their machines since users tend to use the same password for bugzilla and 
for their login account in the other machines. This password being plaintext in 
the DB mekes it available to the bugzilla admin (me) at any time.

Password should be only stored in it's encrypted form on the DB.
Comment 1 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-03-30 03:52:09 PST
See also bug 15980: Password visible in location bar in browser

I agree, this is a concern of mine, too, for my local system.

Do keep in mind that unless you're using SSL, the passwords are transmitting in 
cleartext over the network, too (if everyone's inside a firewall, this part might 
not be a big deal).

Marking 2.14 since this is a security issue.
Comment 2 Myk Melez [:myk] [@mykmelez] 2001-05-01 17:33:22 PDT
Making this bug depend on bug 77473 because existing installations will have to
re-crypt their user's passwords when that fix is applied, and they need to keep
the plain-text versions of those passwords around until then in order to be able
to do that.
Comment 3 Myk Melez [:myk] [@mykmelez] 2001-06-12 15:02:04 PDT
taking.  A patch for this bug exists as part of the patch to bug 77473.
Comment 4 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-07-10 22:34:41 PDT
bug 77473 has been fixed, and the patch included the fix for this, therefore
this is fixed.
Comment 5 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-09-02 23:41:15 PDT
Moving to Bugzilla product
Comment 6 victory <never@receive.bug.mails.i.hate.spammer> 2006-03-05 02:03:44 PST
Created attachment 214072 [details] [diff] [review]
docs patch about 'Bugzilla Database Tables' section, for 2.18
Comment 7 timeless 2006-03-17 02:58:24 PST
Comment on attachment 214072 [details] [diff] [review]
docs patch about 'Bugzilla Database Tables' section, for 2.18

>+profiles:  Ahh, so you were wondering where your precious user
>+information was stored?  Here it is!  This table stores crypted
>+passwords, disabledtext, emailflags, login_name, whether to show
_the_
>+<quote>My Bugs</quote> link, the user's real name, and when the
>+profiles were updated.

... when || profiles were _last_ updated.
or
... when the /profile/ /was/ _last_ updated.

Note You need to log in before you can comment on or make changes to this bug.