Opened 3 years ago
Closed 3 years ago
#1487034 closed Bugs (fixed)
password plugin
| Reported by: | michalp | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | 0.5-beta |
| Component: | Plugins | Version: | 0.4.1 |
| Severity: | normal | Keywords: | password |
| Cc: |
Description
Password plugin/SQL driver.
It's not possible to use special characters like %o in cleartext passwords.
It's possible for end user to inject some data to SQL query.
For example:
"UPDATE users SET password = %p WHERE username = %u";
If user puts new password like 'password%o' the DB backend will crash, password will be logged to syslog/file. If old password contains some SQL data, it could be also executed.
Change History (1)
comment:1 Changed 3 years ago by alec
- Milestone changed from later to 0.5-beta
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Fixed in r4058/svn. Requires [9db4ca92].