Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 456210 - Plaintext passwords in web_customer.password
Summary: Plaintext passwords in web_customer.password
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 0.1
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space02
TreeView+ depends on / blocked
 
Reported: 2008-07-22 08:54 UTC by Jan Pazdziora
Modified: 2009-09-17 06:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-17 06:59:35 UTC


Attachments (Terms of Use)

Description Jan Pazdziora 2008-07-22 08:54:10 UTC
When you create a new organization in RHN Satellite v5.1.0, the 
administrator password is stored in plain text into the web_customer 
table.

That field isn't even used, we should drop the column from our DB entirely.

In Spacewalk 0.1, the Java code does not pass in a password to the call to the
stored proc: create_new_org. But the database column is still there.

This is related to Satellite's bug 450038 and bug 453664.

Comment 1 Jan Pazdziora 2008-07-22 09:00:30 UTC
Fix committed: a6a0b3864af0ccd52dcaae121bf070a36d8f6a1a.

Comment 2 Jan Pazdziora 2008-07-22 10:25:08 UTC
Plus fix: cd62f73a778af286132e27b6ff41377ab1618327

Comment 3 Devan Goodwin 2008-09-05 14:43:33 UTC
SQL> desc web_customer;

 Name                                      Null?    Type

 ----------------------------------------- -------- ----------------------------

 ID                                        NOT NULL NUMBER

 NAME                                      NOT NULL VARCHAR2(128)

 ORACLE_CUSTOMER_ID                                 NUMBER

 ORACLE_CUSTOMER_NUMBER                             NUMBER

 CUSTOMER_TYPE                             NOT NULL CHAR(1)

 CREDIT_APPLICATION_COMPLETED                       VARCHAR2(1)

 CREATED                                   NOT NULL DATE

 MODIFIED                                  NOT NULL DATE



SQL> 



Verified against spacewalk 0.2.

Comment 4 Miroslav Suchý 2009-09-17 06:59:35 UTC
Spacewalk is released for long time.


Note You need to log in before you can comment on or make changes to this bug.