Etherpad - Plain Text passwords #874
Comments
|
Good work @OnGle It seems that the plugin noted in that thread does essentially resolve the issue. FWIW, here it is. Perhaps we should consider including that for the next release? Although IMO the fact that the issue has been "closed" via release of a third party plugin is somewhat concerning. The default behaviour of etherpad remains broken (WRT security) and it appears there is no plan to fix it. Perhaps I'm missing something, but I don't understand why this isn't considered a critical bug worthy of resolving within the core code. It makes me wonder what other short cuts may have been taken WRT security (that just haven't been noticed yet)?!? |
|
Looks like the plain text passwords also appear in the logfiles unless log level is < INFO... |
|
It might be a good idea to ship with the plugin, it's probably not secure still but it can't be much worse than plaintext. As far as the logs go, I'll check that out today and attempt to reproduce that. |
|
Ok so as far as logs go, I couldn't reproduce passwords appearing in logs at INFO, it might be worth testing that it still occures in DEBUG at some point but considering we default to WARN it probably wont be an issue. |
|
Due to #1132 (deprecating Etherpad) - this issue is somewhat irrelevant. Closing |
|
We've settled on adding the |
[update by @JedMeister] Due to #1132 - Etherpad will be deprecated and not released as part of v15.0 😢 As such, this issue is being closed and marked "won't fix".
[updated update] Actually... I just posted an update
somewhat related to #813
As of turnkeylinux-apps/etherpad#10 part of this issue has been resolved (don't reveal settings file to admins). However, I think that we should consider adding the "no clear text passwords" plugin for v15.0 release of etherpad.
@JedMeister
Our etherpad appliance runs off nodejs app etherpad-lite (https://github.com/ether/etherpad-lite) which stores the administrator password in plaintext. Moreover the administrative users have read/write access to the
settings.jsonfile from within the admin interface, the same file which stores the plaintext passwords, allowing any authenticated administrator to read any user's password from any location.It also appears that there is or seems to be no way to logout of the admin user.
Upstream seems to consider this concerning security risk as non-core functionality and has closed the related issue in preferance of a third party plugin for hashing password, see ether/etherpad-lite#1650
To ensure our users don't enable admin without understanding the security implications, we've decided to disable easy setting of admin password. And document the risks of enabling it.
The text was updated successfully, but these errors were encountered: