core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon owncloud

[QA] oc_appconfig stores passwords unencrypted

Open jnweiger opened this issue 4 years ago • 3 comments

Seen in oc 10.8.0-beta2

#38728 encrypts mount passwords stored in the database. But there are more locations where passwords are stored unencrypted:

MariaDB [owncloud]> select * from oc_appconfig where configkey like '%pass%';
+-----------+------------------------+--------------+
| appid     | configkey              | configvalue  |
+-----------+------------------------+--------------+
| user_ldap | s01ldap_agent_password | b3duY2xvdWQ= |
| user_ldap | s02ldap_agent_password | UEBzc3cwcmQ= |
+-----------+------------------------+--------------+
2 rows in set (0.005 sec)

These two are base64 encoded, and can be trivially converted back to their plain text representation (owncloud and P@ssw0rd)

jnweiger avatar Jul 14 '21 00:07 jnweiger

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Jan 10 '22 01:01 github-actions[bot]

This issue has been automatically closed.

github-actions[bot] avatar Jan 20 '22 01:01 github-actions[bot]

Reproduced in core 10.11.0 with user_ldap 0.16.1

jnweiger avatar Nov 17 '22 11:11 jnweiger