[ejabberd] password insecurity

Badlop badlop at gmail.com
Tue Jul 2 19:47:17 MSK 2013


On 14 June 2013 15:22, Michael Scheppat <MSJean at gmx.de> wrote:
> Hi ejabberd-lers,
>
> I have seen a problem of the ejabberd2 webinterface.
> When browsing the user accounts there is an option to change the user's
> password.
> That might be ok, but viewing the html source code shows the old
> password in plaintext, which not ok at all.
> That way user passwords could be spied on to use them on other accounts
> in case they use the same passwords again. Especially when there is
> multiple admins to operate on that xmpp server.
>
> 1.) Do you know of this and is this already handled by you?

Yes, that was a feature when implemented, it may be considered a problem.
There's a ticket for that:
https://support.process-one.net/browse/EJAB-1120

However, the ticket has 0 votes.


>
> 2.) What can I do to secure this?

There's a very simple patch:

--- a/src/web/ejabberd_web_admin.erl
+++ b/src/web/ejabberd_web_admin.erl
@@ -1723,7 +1723,7 @@ user_info(User, Server, Query, Lang) ->
                                       ?LI([?C(R ++ FIP)])
                               end, lists:sort(Resources)))]
        end,
-    Password = ejabberd_auth:get_password_s(User, Server),
+    Password = string:chars($*,
length(ejabberd_auth:get_password_s(User, Server))),
     FPassword = [?INPUT("password", "password", Password), ?C(" "),
                 ?INPUTT("submit", "chpassword", "Change Password")],
     UserItems = ejabberd_hooks:run_fold(webadmin_user, LServer, [],


>
> 3.) Can I find you on irc too and if yes where ?
>
> Thank you very much
>
> Michael

--
Badlop
ProcessOne


More information about the ejabberd mailing list