Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

ldap.adminPassword is plain text

Description

I think a change needs to be made to the Openfire admin console, for security reasons. The LDAP admin password is displayed in plain text. It should be masked out. I realize that you need to have openfire admin priveledges to view that page or the database, but once the source is accessed anyone walking by could read the value from a screen. or browser cache could be used to view it. Security of my network is of utmost importance.

Environment

Openfire 3.6.0

Activity

Guus der Kinderen 
January 10, 2010 at 11:42 PM

Openfire masks all values for properties if the property name includes password, passwd or cookieKey. The matches needed to be case sensitive, which is why ldap.adminPassword (note the capital P) did not match. I made a modification that will allow case-insensitive matching.

Brian Tuley 
September 11, 2009 at 7:36 PM

This issue violates PCI (payment card industry https://www.pcisecuritystandards.org) standards and affects any business that collects credit cards.

It most likley violates HIPPA (privacy in medical records) as well.

OpenFire is a great tool that I would love to roll out to agents in my center, however use would not be allowed because passwords are exposed.

Other tools that require active directory authentication like SAMBA don't have this problem.

Michael Michael 
February 26, 2009 at 8:58 PM

This is related with JM-930. I agrre that this is a critical bug. See comments that are made under JM-930.

Daniel Henninger 
August 29, 2008 at 8:02 PM

Agreed, moving to 3.6.1.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

Created August 29, 2008 at 7:57 PM
Updated February 1, 2010 at 3:11 AM
Resolved January 10, 2010 at 11:42 PM