Ubuntu
ejabberd package

Passwords are in plain text

Bug #524490 reported by Owz on 2010-02-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ejabberd (Ubuntu)	Won't Fix	Undecided	Unassigned

Bug Description

Binary package hint: ejabberd

I found some Passwords readable in plain text in several files.
For example in /var/lib/ejabberd/passwd.DCD

After ejabberdctl dump ejabberd.dump passwords of all Users are readable in plain text in ejabberd.dump

Passwords shut be hashed!

Revision history for this message

Neustradamus (neustradamus) wrote on 2010-02-19:

What is the ejabberd version ?

Revision history for this message

Neustradamus (neustradamus) wrote on 2010-02-19:

I found a page for your answer on http://www.ejabberd.im/plaintext-passwords-db

Revision history for this message

Rhonda D'Vine (rhonda) wrote on 2010-02-22:

Actually, I'm neither convinced by the reasoning therein or the discussions. Why can't it be stored hashed in the database but still be sent encrypted over the network?

Revision history for this message

Rhonda D'Vine (rhonda) wrote on 2010-06-30:

The passwords need to be stored hashed in the database - the way SASL works requires that.

Changed in ejabberd (Ubuntu):
status:	New → Invalid

Iain Lane (laney) on 2010-06-30

Changed in ejabberd (Ubuntu):
status:	Invalid → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuejabberd package

Passwords are in plain text

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
ejabberd package