Bug 456210 - Plaintext passwords in web_customer.password
Plaintext passwords in web_customer.password
Status: CLOSED CURRENTRELEASE
Product: Spacewalk
Classification: Community
Component: Server (Show other bugs)
0.1
All Linux
low Severity low
: ---
: ---
Assigned To: Jan Pazdziora
Red Hat Satellite QA List
: Security
Depends On:
Blocks: space02
  Show dependency treegraph
 
Reported: 2008-07-22 04:54 EDT by Jan Pazdziora
Modified: 2009-09-17 02:59 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-17 02:59:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2008-07-22 04:54:10 EDT
When you create a new organization in RHN Satellite v5.1.0, the 
administrator password is stored in plain text into the web_customer 
table.

That field isn't even used, we should drop the column from our DB entirely.

In Spacewalk 0.1, the Java code does not pass in a password to the call to the
stored proc: create_new_org. But the database column is still there.

This is related to Satellite's bug 450038 and bug 453664.
Comment 1 Jan Pazdziora 2008-07-22 05:00:30 EDT
Fix committed: a6a0b3864af0ccd52dcaae121bf070a36d8f6a1a.
Comment 2 Jan Pazdziora 2008-07-22 06:25:08 EDT
Plus fix: cd62f73a778af286132e27b6ff41377ab1618327
Comment 3 Devan Goodwin 2008-09-05 10:43:33 EDT
SQL> desc web_customer;

 Name                                      Null?    Type

 ----------------------------------------- -------- ----------------------------

 ID                                        NOT NULL NUMBER

 NAME                                      NOT NULL VARCHAR2(128)

 ORACLE_CUSTOMER_ID                                 NUMBER

 ORACLE_CUSTOMER_NUMBER                             NUMBER

 CUSTOMER_TYPE                             NOT NULL CHAR(1)

 CREDIT_APPLICATION_COMPLETED                       VARCHAR2(1)

 CREATED                                   NOT NULL DATE

 MODIFIED                                  NOT NULL DATE



SQL> 



Verified against spacewalk 0.2.
Comment 4 Miroslav Suchý 2009-09-17 02:59:35 EDT
Spacewalk is released for long time.

Note You need to log in before you can comment on or make changes to this bug.