ldap.adminPassword is plain text

Description

I think a change needs to be made to the Openfire admin console, for security reasons. The LDAP admin password is displayed in plain text. It should be masked out. I realize that you need to have openfire admin priveledges to view that page or the database, but once the source is accessed anyone walking by could read the value from a screen. or browser cache could be used to view it. Security of my network is of utmost importance.

Environment

Openfire 3.6.0

Activity

Show:
Guus der Kinderen
January 10, 2010, 11:42 PM

Openfire masks all values for properties if the property name includes password, passwd or cookieKey. The matches needed to be case sensitive, which is why ldap.adminPassword (note the capital P) did not match. I made a modification that will allow case-insensitive matching.

Brian Tuley
September 11, 2009, 7:36 PM

This issue violates PCI (payment card industry https://www.pcisecuritystandards.org) standards and affects any business that collects credit cards.

It most likley violates HIPPA (privacy in medical records) as well.

OpenFire is a great tool that I would love to roll out to agents in my center, however use would not be allowed because passwords are exposed.

Other tools that require active directory authentication like SAMBA don't have this problem.

Michael Michael
February 26, 2009, 8:58 PM

This is related with JM-930. I agrre that this is a critical bug. See comments that are made under JM-930.

Daniel Henninger
August 29, 2008, 8:02 PM

Agreed, moving to 3.6.1.

Fixed
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Guus der Kinderen

Reporter

Todd Getz