[ejabberd] password insecurity
badlop at gmail.com
Tue Jul 2 19:47:17 MSK 2013
On 14 June 2013 15:22, Michael Scheppat <MSJean at gmx.de> wrote:
> Hi ejabberd-lers,
> I have seen a problem of the ejabberd2 webinterface.
> When browsing the user accounts there is an option to change the user's
> That might be ok, but viewing the html source code shows the old
> password in plaintext, which not ok at all.
> That way user passwords could be spied on to use them on other accounts
> in case they use the same passwords again. Especially when there is
> multiple admins to operate on that xmpp server.
> 1.) Do you know of this and is this already handled by you?
Yes, that was a feature when implemented, it may be considered a problem.
There's a ticket for that:
However, the ticket has 0 votes.
> 2.) What can I do to secure this?
There's a very simple patch:
@@ -1723,7 +1723,7 @@ user_info(User, Server, Query, Lang) ->
?LI([?C(R ++ FIP)])
- Password = ejabberd_auth:get_password_s(User, Server),
+ Password = string:chars($*,
FPassword = [?INPUT("password", "password", Password), ?C(" "),
?INPUTT("submit", "chpassword", "Change Password")],
UserItems = ejabberd_hooks:run_fold(webadmin_user, LServer, ,
> 3.) Can I find you on irc too and if yes where ?
> Thank you very much
More information about the ejabberd