We're updating the issue view to help you get more done. 

ldap.adminPassword is plain text

Description

I think a change needs to be made to the Openfire admin console, for security reasons. The LDAP admin password is displayed in plain text. It should be masked out. I realize that you need to have openfire admin priveledges to view that page or the database, but once the source is accessed anyone walking by could read the value from a screen. or browser cache could be used to view it. Security of my network is of utmost importance.

Environment

Openfire 3.6.0

Acceptance Test - Entry

None

Activity

Show:
Daniel Henninger
August 29, 2008, 8:02 PM

Agreed, moving to 3.6.1.

Michael Michael
February 26, 2009, 8:58 PM

This is related with JM-930. I agrre that this is a critical bug. See comments that are made under JM-930.

Brian Tuley
September 11, 2009, 7:36 PM

This issue violates PCI (payment card industry https://www.pcisecuritystandards.org) standards and affects any business that collects credit cards.

It most likley violates HIPPA (privacy in medical records) as well.

OpenFire is a great tool that I would love to roll out to agents in my center, however use would not be allowed because passwords are exposed.

Other tools that require active directory authentication like SAMBA don't have this problem.

Guus der Kinderen
January 10, 2010, 11:42 PM

Openfire masks all values for properties if the property name includes password, passwd or cookieKey. The matches needed to be case sensitive, which is why ldap.adminPassword (note the capital P) did not match. I made a modification that will allow case-insensitive matching.

Assignee

Guus der Kinderen

Reporter

Todd Getz

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Critical
Configure