Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-4819

Stash uses plain text passwords in the database for the Crowd User Directory

XMLWordPrintable

      I managed to accidentely lock myself out of my stash instance this morning during a routine upgrade and while looking for the name of a local stash user account I noticed that the password for the Crowd User Directory I'd setup (incorrectly) was stored as plain text in table cwd_directory_attribute immediately after the 'name' of the user directory (update: attribute name = application.password).

      I know that someone there knows this little piece of wonderful intel already, but I thought - as plain text passwords in the database are generally regarded as a 'bad idea' - that I should create an issue to request that they be encrypted. as they are in other Atlassian tools (I believe).

      Update: 20140604

      • Turns out I was wrong - I checked my JIRA instance and the user directory password is stored in plain text there as well. I will create an issue there as well, and in the other tools as I get a chance to check them.

      Feel free to adjust the priority as you see fit - I haven't given any thought to how SWIM could use this information in a harmful way but if something occurs to me I'll add it as a comment.

      Cheers,
      -wc

              Unassigned Unassigned
              a09a4d781816 William Crighton [CCC]
              Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: