[ejabberd] password insecurity

Badlop badlop at gmail.com
Sat Jul 6 15:42:16 MSK 2013


On 5 July 2013 17:23, Michael Scheppat <MSJean at gmx.de> wrote:
> Thanks for replying.
>
> Suppose I patch my config as you suggested below.
> 2.0 What does this patch actually do?

When viewing an account details in WebAdmin, ejabberd does not provide
the real full password in the HTML. Instead, it provides a list of *s,
which is in fact what later the web browser displays to the user.

So, instead of
<input type="password" name="password" value="mysensitive_password"/>
it provides:
<input type="password" name="password" value="*************************"/>

This patch only changes what is shown in WebAdmin, so:

> 2.1 Is there anything that I should back up before doing so?

No changes in data.

> 2.2 Does anything happen to the existing accounts?

No.

> 2.3 Are the consequences reversable, in case of trouble?
> (I dont want to end up losing the accounts)

Yes, just change back the old ejabberd_web_admin.beam.



>
> Gesendet: Dienstag, 02. Juli 2013 um 17:47 Uhr
> Von: Badlop <badlop at gmail.com>
> An: ejabberd at jabber.ru
>
> Betreff: Re: [ejabberd] password insecurity
> On 14 June 2013 15:22, Michael Scheppat <MSJean at gmx.de> wrote:
>> Hi ejabberd-lers,
>>
>> I have seen a problem of the ejabberd2 webinterface.
>> When browsing the user accounts there is an option to change the user's
>> password.
>> That might be ok, but viewing the html source code shows the old
>> password in plaintext, which not ok at all.
>> That way user passwords could be spied on to use them on other accounts
>> in case they use the same passwords again. Especially when there is
>> multiple admins to operate on that xmpp server.
>>
> ...
>
>>
>> 2.) What can I do to secure this?
>
> There's a very simple patch:
>
> --- a/src/web/ejabberd_web_admin.erl
> +++ b/src/web/ejabberd_web_admin.erl
> @@ -1723,7 +1723,7 @@ user_info(User, Server, Query, Lang) ->
> ?LI([?C(R ++ FIP)])
> end, lists:sort(Resources)))]
> end,
> - Password = ejabberd_auth:get_password_s(User, Server),
> + Password = string:chars($*,
> length(ejabberd_auth:get_password_s(User, Server))),
> FPassword = [?INPUT("password", "password", Password), ?C(" "),
> ?INPUTT("submit", "chpassword", "Change Password")],
> UserItems = ejabberd_hooks:run_fold(webadmin_user, LServer, [],
>
>


--
Badlop
ProcessOne


More information about the ejabberd mailing list