Password Revealed - security issue

niels-k · January 18, 2018, 11:14am

Infos:

Used Zammad version: 2.20
Used Zammad installation source: docker-compose
Operating system: RedHat
Browser + version: Chrome (latest)

Expected behavior:

That password cannot be revealed in e-mail settings by using a password revealer such as showpassword (https://chrome.google.com/webstore/detail/showpassword/bbiclfnbhommljbjcoelobnnnibemabl).
Also expected that the passwords are stored in a hashed manner and that it wont be able to show it in the fields as plain text

Actual behavior:

Using a on hover password revealer tool shows the actual password as plain text that was used to setup the email settings.

Steps to reproduce the behavior:

Setup your email account to be associated with Zammad and fill in password.
Then afterwards go to edit and use a password reveal tool.

gwingend · January 19, 2018, 5:20am

Indead this could be a security issue.

Question:

In your environment the zammad admin is not allowed to know the password for the mailbox?
Because to reveal the password you have to be an admin of the zammad system that probably might already now the password.

Anyway I agree to that enhencement request.

niels-k · January 19, 2018, 2:48pm

We have multiple admins.
A shared mailbox from a microsoft exchange server is used.
however, to login to the share mailbox your personal credentials have to be used.
And we dont want to share personal credentials between eachother.
Nevertheless, the passwords can be revealed using a simple hover over tool.

Therefore wondering how passwords are stored in Zammad.
The email settings passwords seem to be stored as plain text, is this correct?
How are passwords from customers/agents/admins stored?

MrGeneration · January 23, 2018, 8:44pm

You could -at least as work around- create a dummy account that does not belong to a personal admin - you could use that exchange account to access the shared mailbox.
Normally you could also use the credentials of the shared mailbox directly - as long as I don’t missunderstand how you use your exchange accounts.

Neverless, this can be a problem. I guess that zammad does it this way, because most pop/imap connectors do the same within their config files.

From what I see in the database dumps the e-mail account credentials are stored in clear text - user information like agents and customers seem to be hashed passwords as you’d expect from a prober system

oliver · January 24, 2018, 8:31am

See https://github.com/zammad/zammad/issues/460

I agree that the UI should not reveal the password, though.

system · March 26, 2018, 4:31am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.