|Summary:||www/owncloud: DB password unhashed|
|Product:||Ports & Packages||Reporter:||O. Hartmann <ohartmann>|
|Component:||Individual Port(s)||Assignee:||Po-Chuan Hsieh <sunpoet>|
|Severity:||Affects Many People||CC:||lwhsu, sunpoet, w.schwarzenfeld|
Description O. Hartmann 2015-10-21 05:33:38 UTC
On a fresh installation of www/owncloud, I find the DB passowrd issued for connecting to the PostgreSQL server in clear text! On an older installation, there is a hashed version of the password. This is considered a high security risk!
Comment 1 Kubilay Kocak 2015-10-21 05:41:14 UTC
Is this something that needs to be reported, and (also) fixed upstream, or is it a configuration default that can be improved upon?
Comment 2 Rene Ladan 2018-01-12 11:22:58 UTC
Comment 3 Walter Schwarzenfeld 2019-09-04 20:24:15 UTC
Maintainer feedback, please resp. is this still relevant?
Comment 4 Li-Wen Hsu 2020-11-06 08:12:38 UTC
Is this still happening in the enewer version of owncloud? I am a bit curious this issue, usually the DB password should still be saved in plain text somewhere, in order to let the application to connect to DB, and the protection of the password is done through file permission or ACK, etc. If this is really an issue, probably also need to report to the upstream.