[dev] security issue with latest horde.

Ronan SALMON rsalmon at mbpgroup.com
Thu Apr 9 08:48:34 UTC 2009


Vilius Šumskas <vilius at lnk.lt> a écrit :

>> The problem is that, if you look for "password", you'll see the user's
>> password and in my case, ingo vfs's driver password.
>>
>> I surelly have all the debug options turned on (and should be turned
>> off on production servers!), but I think passwords shouldn't be shown
>> as plain text.
>>
>> Can someone reproduce this ?
>
> It's not *user's* password. It's the text string you've entered into
> password field during login.

It doesn't show all user passwords, but only the password of the user who is logged in, and it obviously matches the text string that a user entered during login. I can see as well the content of ingo/config/backends.php including the username/password used by the vfs driver.
May be I wasn't clear in my initial post.

Ronan.


More information about the dev mailing list