Just as a general point of etiquette, it’s customary to notify vendors
of security related issues privately before publicly announcing them.
Posting the details of security-related issues to a public mailinglist
without giving the folks who make a package to address a potential
vulnerability is irresponsible and potentially dangerous.
Thankfully, at first glance, it looks like the issue you’ve run into
isn’t particularly dangerous. RT ships with stack trace logging
disabled and generally the folks who have access to application logs
are also the folks who manage the application.
I do believe that the issue you’ve noticed merits a note in the config
file that it’s possible for sensitive data to get logged if that
function is enabled. I intend to make that change for RT 3.8.3, but
don’t currently believe that this issue requires an accelerated release
Best PracticalOn Mon 2.Feb’09 at 17:26:14 -0500, Akash wrote:
When I enabled logging of stack traces, the user passwords are being
written in cleartext in the log files!
I enabled stack tracing by adding the the following line in
Can somebody please fix this serious error so that passwords are
encrypted? I am using RT 3.8.1 installed
from ports on a FreeBSD machine. (Actually I think I got a patch from
someone in this mailing list.) If
the error has been fixed in 3.8.2, please let me know.
Also, if a 3.8.2 port is available, is it stable enough to update my 3.8.1
Community help: http://wiki.bestpractical.com
Commercial support: email@example.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com