PKP Bugzilla – Bug 7814
Survey and remove password echoing
Last modified: 2013-01-03 09:46:39 PST
After I enable the Lucene Plugin and go to the settings page, all fields presented to me include default information, including the password field. This in and of itself was a little weird -- the username and password should be blank. Additionally, I checked the fields for the Lucene plugin in the plugin_settings table, and it looks like the password entry ("please change") is stored unencrypted. If I change the default password, I can still read it in plaintext in the database.
James, we don't currently have a vault for passwords so there are a few plugins that store passwords in the database. Not ideal, but OK for now. Passwords should never be echoed back to the user e.g. in a setup form, however -- I've asked FUB to fix this (and as far as I'm concerned that's the only part of this that needs addressing for 2.4.0). The default settings are configured to match the Java part of the deployment. Changing the password etc. are described in the plugin's README.
Several plugins permit echoing back to the user of stored passwords (lucene, medra, sword, duracloud, duracite). Ideally we should be storing these in a vault of some kind, but at the very least, it should not be possible to echo them back to the user via the UI.
(Note that this has been fixed in the lucene plugin -- see <https://github.com/pkp/ojs/commit/8ded4a3629709731a6f13e03c66c4d9ffeb69532>)
Avoid echoing SWORD passwords back to the browser https://github.com/pkp/ojs/commit/bb2bffe70a235dbd73e3a4e5f72d46eb2b8fe69e
Avoid echoing SWORD passwords back to the browser https://github.com/pkp/ojs/commit/3694619fbc7bf620f51f8e9ee80c220c2515a45f
DuraCloud appears to be OK; fixed for SWORD. Have suggested FUB put the rest on their list but that's a low priority.