Re: [epf-dev] Security Questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [epf-dev] Security Questions

From: Onno van der Straaten <onno.van.der.straaten@xxxxxxxxx>
Date: Thu, 18 Mar 2010 08:11:33 +0100
Delivered-to: epf-dev@xxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Fc6/HVl1Wdy91q14NXrVp/3HnSwQsYDCxrNxt4Bdmmsu40ApbricV7LBrNuWD8wyWv fDF3EEkuu8oqGfrnIZugqURClixXX811QfsgHSsa2Oj6uqhkLgWn6YJzvY9xAOCW1/gn 9xlpwWVjWIo0xOJW6DdAffiTo15JMfN5BisLo=
List-archive: <https://dev.eclipse.org/mailman/private/epf-dev>
List-help: <mailto:epf-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/epf-dev>, <mailto:epf-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/epf-dev>, <mailto:epf-dev-request@eclipse.org?subject=unsubscribe>

Hi Christian,
Passwords are removed from log files using filtered_parameter_logging parameter. This is feature is applied in the code see the line in login_controller.rb
filter_parameter_logging :password, :password_confirmation

Passwords are not stored anywhere. Only a 'hash' of the password is saved to the database together with the account details (name, email). As a consequence it is not possible to recover or resend a lost password. If you look for example at http://epf.eclipse.org/login/lost_password you will notice that you have to provide a new password. The new password will only become active after it is confirmed using the confirmation link in the email that will be send when the form is submitted.

I don't know of any other known security issues. Currently there are no issues in Eclipse Bugs regarding security.
Best Regards,
Onno

On Tue, Mar 16, 2010 at 11:45 AM, <Christian.Kopietz@xxxxxxxxxxxxxx> wrote:

Hi There,

I’am charged with finding out if there are any known security issues within the epf wiki? Are there logs with personal data, and if so, for how long are they held ready by default? How are the registered users are stored and especially how is the login password stored? Would be nice if someone could help me out.

With kind regards

Christian Kopietz

Bachelor of Computer Science

IT-Infrastructure & Applications

--

Innovations Software Technology GmbH

Bosch Group

Ziegelei 7, 88090 Immenstaad/GERMANY

Tel. +49 7545 202-251

Fax +49 7545 202-301

mailto:christian.kopietz@xxxxxxxxxxxxxx

www.innovations.de

Executives: Achim Berger, Thomas Cotic, Thomas Schmid

Register Court Ulm HRB 631888

This message may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please inform us immediately and destroy this message including all copies thereof.

_______________________________________________
epf-dev mailing list
epf-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/epf-dev

References:
- [epf-dev] Security Questions
  - From: Christian.Kopietz

Prev by Date: [epf-dev] Security Questions
Next by Date: [epf-dev] [EPF Wiki] Weekly Summary
Previous by thread: [epf-dev] Security Questions
Next by thread: [epf-dev] AUTO: Peter Haumer is out of the office. (returning 03/29/2010)
Index(es):
- Date
- Thread

Breadcrumbs