grav-plugin-admin icon indicating copy to clipboard operation
grav-plugin-admin copied to clipboard
verified publisher icon getgrav

Plain text password in tmp/ folder

Open dahlo opened this issue 3 years ago • 0 comments

Hi. First off, I have not been able to recreate this error since i have no idea how it occurred in the first place, sorry about that. We noticed that there was a file in the tmp/ folder of grav where the full user info, including password in plain text. The file in question had the path tmp/forms/1t7s6fp7acrft0u19ipcv55ij9/53b4e6cd0157f1bda2634add9c67d7de/index.yaml

Content of the file with sensitive information removed: image

The file stayed for months in the folder until we deleted it manually. Since tmp/ is not blocked by the supplied web server configs the file has in principle been accessible through the web server, though not in practice since the seemingly random folder names in the path.

It makes me a bit uneasy knowing that unhashed passwords are allowed to touch disk, but maybe it's hard to get around since it looks like it is the forms plugin that has generated the file.

dahlo avatar Aug 11 '22 21:08 dahlo