• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7420: Installer caches credentials in world-readable file

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension BuildContrib Urgent New   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

When build.pl upload saves password and creates a .buildcontrib file, the file is world read and the credentials are stored in plain text. Obviously, this is a security issue.

It should create the file with user rw, g none w none. required

It would be better to encrypt the file - or at least obscure the credentials with base64 encoding to resist shoulder surfing. recommended

-- TWiki:Main/TimotheLitt - 2014-01-24

ItemTemplate
Summary Installer caches credentials in world-readable file
ReportedBy TWiki:Main.TimotheLitt
Codebase

SVN Range TWiki-6.0.1-trunk, Thu, 09 Jan 2014, build 26720
AppliesTo Extension
Component BuildContrib
Priority Urgent
CurrentState New
WaitingFor

Checkins

TargetRelease n/a
ReleasedIn

Topic revision: r1 - 2014-01-24 - TimotheLitt
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback