mahara-contributors team mailing list archive

Thread
Date

[Bug 1009262] Re: User passwords logged when LDAP misconfigured

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <1009262@xxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Nov 2014 00:31:39 -0000
Reply-to: Bug 1009262 <1009262@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-5311

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1009262

Title:
  User passwords logged when LDAP misconfigured

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released

Bug description:
  When LDAP is misconfigured, for example pointing to a non-existent
  LDAP server, the stack trace in the webserver log reports the users
  password (redacted log snippet to be attached).

  It is not a major bug, in that the information is only available to
  the server administrator under normal circumstances (unless log files
  are not locked down, which does happen sometimes), but it's still bad
  form and should be avoided if possible.

  Mahara 1.6.0dev 2012051500 (according to lib/version.php).  Running on
  Ubuntu 10.04 and Apache2.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1009262/+subscriptions