Adding Subscription Cal by URL stores user password unencrypted

XMLWordPrintable

    • Severity 3 - Minor

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      I discovered that calendar subscriptions not only store user credentials, but do so unencrypted!!! There is really no excuse for this.

      Subscribe to a calendar by url, then in the DB :

      SELECT TOP 1000 [ID]
      ,[KEY]
      ,[SUB_CALENDAR_ID]
      ,[VALUE]
  FROM [YOUR-DB-NAME].[dbo].[AO_950DC3_TC_SUBCALS_PROPS]

      As an enterprise client, who's authentication is linked via ldap, this is completely unacceptable and probably a PCI compliance violation too.

        1. Cal-subscription-issue.png
          115 kB
          Bronwen Stine

              Assignee:
              Duy Truong Luong
              Reporter:
              Bronwen Stine
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: