Bug 7814 - Survey and remove password echoing
Survey and remove password echoing
Status: RESOLVED FIXED
Product: OJS
Classification: Unclassified
Component: Plug-ins
2.4.2
All All
: P3 normal
Assigned To: PKP Support
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-29 17:18 PDT by James MacGregor
Modified: 2013-01-03 09:46 PST (History)
1 user (show)

See Also:
Version Reported In:
Also Affects:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James MacGregor 2012-08-29 17:18:53 PDT
After I enable the Lucene Plugin and go to the settings page, all fields presented to me include default information, including the password field. This in and of itself was a little weird -- the username and password should be blank. 

Additionally, I checked the fields for the Lucene plugin in the plugin_settings table, and it looks like the password entry ("please change") is stored unencrypted. If I change the default password, I can still read it in plaintext in the database.
Comment 1 Alec Smecher 2012-08-30 11:12:02 PDT
James, we don't currently have a vault for passwords so there are a few plugins that store passwords in the database. Not ideal, but OK for now.

Passwords should never be echoed back to the user e.g. in a setup form, however -- I've asked FUB to fix this (and as far as I'm concerned that's the only part of this that needs addressing for 2.4.0).

The default settings are configured to match the Java part of the deployment. Changing the password etc. are described in the plugin's README.
Comment 2 Alec Smecher 2012-08-30 12:11:31 PDT
Several plugins permit echoing back to the user of stored passwords (lucene, medra, sword, duracloud, duracite).

Ideally we should be storing these in a vault of some kind, but at the very least, it should not be possible to echo them back to the user via the UI.
Comment 3 Alec Smecher 2012-08-30 13:19:00 PDT
(Note that this has been fixed in the lucene plugin -- see <https://github.com/pkp/ojs/commit/8ded4a3629709731a6f13e03c66c4d9ffeb69532>)
Comment 4 Alec Smecher 2013-01-02 14:25:02 PST
Avoid echoing SWORD passwords back to the browser
https://github.com/pkp/ojs/commit/bb2bffe70a235dbd73e3a4e5f72d46eb2b8fe69e
Comment 5 Alec Smecher 2013-01-02 14:25:02 PST
Avoid echoing SWORD passwords back to the browser
https://github.com/pkp/ojs/commit/3694619fbc7bf620f51f8e9ee80c220c2515a45f
Comment 6 Alec Smecher 2013-01-03 09:46:39 PST
DuraCloud appears to be OK; fixed for SWORD. Have suggested FUB put the rest on their list but that's a low priority.