[Secure-testing-team] Bug#614304: dtc-common: does store user passwords unhashed in the database
Ansgar Burchardt
ansgar at 2008.43-1.org
Sun Feb 20 22:07:58 UTC 2011
Package: dtc-common
Version: 0.29.17-1
Severity: grave
Tags: upstream security
dtc stores user passwords unencrypted in the database:
$q = "INSERT INTO $pro_mysql_new_admin_table
(reqadm_login,
reqadm_pass,
[...]
VALUES('".$_REQUEST["reqadm_login"]."',
'".$_REQUEST["reqadm_pass"]."',
(from client/new_account_form.php)
This can be verified by executing "SELECT * FROM admin" in dtc's MySQL
database which shows the administrator password after installation.
dtc also stores passwords for various servives (FTP, ...). I have not
looked if passwords are hashed there.
The code in unstable (dtc/0.32.5-1) seems to have the same problems.
Ansgar
More information about the Secure-testing-team
mailing list