Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5261

Password hashes dumpable

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 6.3-milestone-2, 6.2.3
    • 2.4 M1
    • Old Core
    • None
    • Unknown
    • N/A
    • N/A

    Description

      {{velocity}}
#set($adminDoc = $xwiki.getDocument('XWiki.Admin'))
#set($adminObj = $adminDoc.getObject('XWiki.XWikiUsers'))
$adminDoc.getValue('password', $adminObj)
{{/velocity}}

      IMO view permission means you have permission to view the page and all content.
      If we are to hide passwords I think we should either look toward adding a salt which is kept secret in a config file or moving all passwords into a document which users don't have view access to.
      Otherwise we will forever be adding hacks to patch leak after leak.
      </soapbox>

      Attachments

        Issue Links

          depends on

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-9599 Support multiple password hashing functions to store/verify user password

          • Major - Major loss of function.
          • Open
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-5777 Password property is accessible using getValue function

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-1127 Add support for 'salting' passwords

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. XE-1499 Conflict on Admin user when upgrading from 6.4.4 to 7.1.1

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-12446 When importing a empty password field we ends up with a hash in the database

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-12561 Can't compare two XWikiDocument with password property initialized with a clear password anymore

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-11801 ResetPassword feature is broken by password salting

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-8936 Watchlist dumps user's password hashes in its regular update mails

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-11288 Add a second level of salting for passwords, using a secret salt stored in xwiki.preferences

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          links to

          Web Link Pull Request

          Activity

            People

              enygma Eduard Moraru
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: