[ejabberd] password insecurity

Michael S. msjean at gmx.de
Mon Jul 8 01:42:24 MSK 2013


Thank you very much.
You have answered complete and precise.
That too is honorable.

Michael

On 06.07.2013 13:42, Badlop wrote:
> On 5 July 2013 17:23, Michael Scheppat <MSJean at gmx.de> wrote:
>> Thanks for replying.
>>
>> Suppose I patch my config as you suggested below.
>> 2.0 What does this patch actually do?
> When viewing an account details in WebAdmin, ejabberd does not provide
> the real full password in the HTML. Instead, it provides a list of *s,
> which is in fact what later the web browser displays to the user.
>
> So, instead of
> <input type="password" name="password" value="mysensitive_password"/>
> it provides:
> <input type="password" name="password" value="*************************"/>
>
> This patch only changes what is shown in WebAdmin, so:
>
>> 2.1 Is there anything that I should back up before doing so?
> No changes in data.
>
>> 2.2 Does anything happen to the existing accounts?
> No.
>
>> 2.3 Are the consequences reversable, in case of trouble?
>> (I dont want to end up losing the accounts)
> Yes, just change back the old ejabberd_web_admin.beam.
>
>
>
>> Gesendet: Dienstag, 02. Juli 2013 um 17:47 Uhr
>> Von: Badlop <badlop at gmail.com>
>> An: ejabberd at jabber.ru
>>
>> Betreff: Re: [ejabberd] password insecurity
>> On 14 June 2013 15:22, Michael Scheppat <MSJean at gmx.de> wrote:
>>> Hi ejabberd-lers,
>>>
>>> I have seen a problem of the ejabberd2 webinterface.
>>> When browsing the user accounts there is an option to change the user's
>>> password.
>>> That might be ok, but viewing the html source code shows the old
>>> password in plaintext, which not ok at all.
>>> That way user passwords could be spied on to use them on other accounts
>>> in case they use the same passwords again. Especially when there is
>>> multiple admins to operate on that xmpp server.
>>>
>> ...
>>
>>> 2.) What can I do to secure this?
>> There's a very simple patch:
>>
>> --- a/src/web/ejabberd_web_admin.erl
>> +++ b/src/web/ejabberd_web_admin.erl
>> @@ -1723,7 +1723,7 @@ user_info(User, Server, Query, Lang) ->
>> ?LI([?C(R ++ FIP)])
>> end, lists:sort(Resources)))]
>> end,
>> - Password = ejabberd_auth:get_password_s(User, Server),
>> + Password = string:chars($*,
>> length(ejabberd_auth:get_password_s(User, Server))),
>> FPassword = [?INPUT("password", "password", Password), ?C(" "),
>> ?INPUTT("submit", "chpassword", "Change Password")],
>> UserItems = ejabberd_hooks:run_fold(webadmin_user, LServer, [],
>>
>>
>
> --
> Badlop
> ProcessOne
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd



More information about the ejabberd mailing list