ldap.adminPassword is plain text

Description

I think a change needs to be made to the Openfire admin console, for security reasons. The LDAP admin password is displayed in plain text. It should be masked out. I realize that you need to have openfire admin priveledges to view that page or the database, but once the source is accessed anyone walking by could read the value from a screen. or browser cache could be used to view it. Security of my network is of utmost importance.

Environment

Openfire 3.6.0

Acceptance Test - Entry

None

Activity

Show:

Daniel Henninger

August 29, 2008, 8:02 PM

Copy link to comment

Agreed, moving to 3.6.1.

Michael Michael

February 26, 2009, 8:58 PM

Copy link to comment

This is related with JM-930. I agrre that this is a critical bug. See comments that are made under JM-930.

Brian Tuley

September 11, 2009, 7:36 PM

Copy link to comment

This issue violates PCI (payment card industry https://www.pcisecuritystandards.org) standards and affects any business that collects credit cards.

It most likley violates HIPPA (privacy in medical records) as well.

OpenFire is a great tool that I would love to roll out to agents in my center, however use would not be allowed because passwords are exposed.

Other tools that require active directory authentication like SAMBA don't have this problem.

Guus der Kinderen

January 10, 2010, 11:42 PM

Copy link to comment

Openfire masks all values for properties if the property name includes password, passwd or cookieKey. The matches needed to be case sensitive, which is why ldap.adminPassword (note the capital P) did not match. I made a modification that will allow case-insensitive matching.

Assignee

Guus der Kinderen

Reporter

Todd Getz

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Admin Console

Database

Fix versions

3.7.0 beta

Affects versions

3.6.4

Priority

Critical

Configure