|Reported by:||michalp||Owned by:|
Password plugin/SQL driver.
It's not possible to use special characters like %o in cleartext passwords.
It's possible for end user to inject some data to SQL query.
"UPDATE users SET password = %p WHERE username = %u";
If user puts new password like 'password%o' the DB backend will crash, password will be logged to syslog/file. If old password contains some SQL data, it could be also executed.