Closed
Bug 74032
Opened 24 years ago
Closed 24 years ago
Password stored in plaintext on the MySQL Data Base.
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: girino, Assigned: myk)
References
Details
Attachments
(1 obsolete file)
System administrators at my site are concerned about my running bugzilla in one of their machines since users tend to use the same password for bugzilla and for their login account in the other machines. This password being plaintext in the DB mekes it available to the bugzilla admin (me) at any time. Password should be only stored in it's encrypted form on the DB.
Comment 1•24 years ago
|
||
See also bug 15980: Password visible in location bar in browser I agree, this is a concern of mine, too, for my local system. Do keep in mind that unless you're using SSL, the passwords are transmitting in cleartext over the network, too (if everyone's inside a firewall, this part might not be a big deal). Marking 2.14 since this is a security issue.
Target Milestone: --- → Bugzilla 2.14
Assignee | ||
Comment 2•24 years ago
|
||
Making this bug depend on bug 77473 because existing installations will have to re-crypt their user's passwords when that fix is applied, and they need to keep the plain-text versions of those passwords around until then in order to be able to do that.
Depends on: 77473
Assignee | ||
Updated•24 years ago
|
Whiteboard: code
Assignee | ||
Comment 3•24 years ago
|
||
taking. A patch for this bug exists as part of the patch to bug 77473.
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Comment 4•24 years ago
|
||
bug 77473 has been fixed, and the patch included the fix for this, therefore this is fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 5•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: Bugzilla 2.10 → unspecified
Comment on attachment 214072 [details] [diff] [review] docs patch about 'Bugzilla Database Tables' section, for 2.18 >+profiles: Ahh, so you were wondering where your precious user >+information was stored? Here it is! This table stores crypted >+passwords, disabledtext, emailflags, login_name, whether to show _the_ >+<quote>My Bugs</quote> link, the user's real name, and when the >+profiles were updated. ... when || profiles were _last_ updated. or ... when the /profile/ /was/ _last_ updated.
Attachment #214072 -
Flags: review?(documentation) → review-
Updated•18 years ago
|
Attachment #214072 -
Attachment is obsolete: true
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•