LDAP password disclosed on admin page

Description

Given

  • I am an Openfire adminstrator

  • I have my Openfire server set up for LDAP

Then

  • The LDAP password is sent to the browser in plain text (obscured only by a password field) when I view the LDAP settings

Marked as minor, as it requires admin console access, although could be used in another attack to use that credential or egress that password elsewhere.

Environment

None
Fixed

Assignee

Guus der Kinderen

Reporter

Dan Caseley

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Priority

Minor
Configure