[ejabberd] password insecurity

Badlop badlop at gmail.com
Tue Jul 2 19:47:17 MSK 2013

On 14 June 2013 15:22, Michael Scheppat <MSJean at gmx.de> wrote:
> Hi ejabberd-lers,
> I have seen a problem of the ejabberd2 webinterface.
> When browsing the user accounts there is an option to change the user's
> password.
> That might be ok, but viewing the html source code shows the old
> password in plaintext, which not ok at all.
> That way user passwords could be spied on to use them on other accounts
> in case they use the same passwords again. Especially when there is
> multiple admins to operate on that xmpp server.
> 1.) Do you know of this and is this already handled by you?

Yes, that was a feature when implemented, it may be considered a problem.
There's a ticket for that:

However, the ticket has 0 votes.

> 2.) What can I do to secure this?

There's a very simple patch:

--- a/src/web/ejabberd_web_admin.erl
+++ b/src/web/ejabberd_web_admin.erl
@@ -1723,7 +1723,7 @@ user_info(User, Server, Query, Lang) ->
                                       ?LI([?C(R ++ FIP)])
                               end, lists:sort(Resources)))]
-    Password = ejabberd_auth:get_password_s(User, Server),
+    Password = string:chars($*,
length(ejabberd_auth:get_password_s(User, Server))),
     FPassword = [?INPUT("password", "password", Password), ?C(" "),
                 ?INPUTT("submit", "chpassword", "Change Password")],
     UserItems = ejabberd_hooks:run_fold(webadmin_user, LServer, [],

> 3.) Can I find you on irc too and if yes where ?
> Thank you very much
> Michael


More information about the ejabberd mailing list