Bug 203914 - www/owncloud: DB password unhashed
Summary: www/owncloud: DB password unhashed
Status: Closed Not A Bug
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Po-Chuan Hsieh
URL:
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2015-10-21 05:33 UTC by O. Hartmann
Modified: 2021-06-25 11:15 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description O. Hartmann 2015-10-21 05:33:38 UTC 
On a fresh installation of www/owncloud, I find the DB passowrd issued for connecting to the PostgreSQL server in clear text! On an older installation, there is a hashed version of the password.

This is considered a high security risk!
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2015-10-21 05:41:14 UTC 
Is this something that needs to be reported, and (also) fixed upstream, or is it a configuration default that can be improved upon?
Comment 2 Rene Ladan freebsd_committer freebsd_triage 2018-01-12 11:22:58 UTC 
Maintainer reset.
Comment 3 Walter Schwarzenfeld 2019-09-04 20:24:15 UTC 
Maintainer feedback, please resp. is this still relevant?
Comment 4 Li-Wen Hsu freebsd_committer freebsd_triage 2020-11-06 08:12:38 UTC 
Is this still happening in the enewer version of owncloud?

I am a bit curious this issue, usually the DB password should still be saved in plain text somewhere, in order to let the application to connect to DB, and the protection of the password is done through file permission or ACK, etc.

If this is really an issue, probably also need to report to the upstream.
Comment 5 Po-Chuan Hsieh freebsd_committer freebsd_triage 2021-06-25 11:15:24 UTC 
AFAIK, upstream does not think it's an issue [1].

[1] https://github.com/owncloud/core/issues/17646