Dolibarr ERP & CRM » Bugs » bug #1818 Passwords in clear in llx_user tableSnapshot Details |
Submitted by: | Cyril (tchap) | | Submitted on: | 2015-02-01 12:18 |
Last Modified On: | 2015-02-01 12:18 | |
Summary: | Passwords in clear in llx_user table |
Description: | The "pass" column of the table "llx_user" contains all the user passwords in clear. It's a security problem since any user able to do an export can retreive all the passwords in plain text.
If the database is compromised (read-only), a third person can have access to all the passwords in plain text
Storing the passwords like that in the database has no use and pose a security threat as far as I can tell. |
Step to reproduce bug: | |
Detected in version: | 3.6.2 | | Category: | Security |
Severity: | 5 - Major | | OS Type/Version: | Debian wheezy |
PHP version: | PHP 5.4.36-0+deb7u3 | | Database type and version: | mysql Ver 14.14 Distrib 5.5.40 |
Status |
Status: | Open | | Assigned to: | None |
Resolution: | None | |
Answer now
|
|