Fixed Got one serious bug. Check it out.
- Thread starter Slink
- Start date
Jake Bunce
Well-known member
Failed SMTP connections can cause server errors which are logged. That's true. But the logs are only accessible to the admin. I don't see a problem with this.
Where else are the admins capable of viewing user passwords? Note also that when you change a users password via the admin panel, the value is not recorded in the admin log. Sure, if you trust your admins and have SMTP setup properly, this isn't really an issue. However that will not be the case for everybody, and if for nothing else but consistency, passwords should be blanked from the error log.
ENF
Well-known member
For reference, if the mail connection for sending fails, this shows up in the bottom of the error message when a user registers:
Code:
array(3) {
["url"] => string(36) "http://someotherwebsite.jkl/register/register"
["_GET"] => array(0) {
}
["_POST"] => array(13) {
["username"] => string(7) "Someusername"
["email"] => string(19) "someonesemail@somemailhost.com"
["password"] => string(9) "Apassword"
["password_confirm"] => string(9) "Apassword"
["dob_month"] => string(1) "6"
["dob_day"] => string(1) "1"
["dob_year"] => string(4) "1984"
["gender"] => string(6) "male"
["timezone"] => string(16) "America/New_York"
["recaptcha_challenge_field"] => string(185) "03AHJ_VusdWbYKxYhIECpyPIwqjk-xJ-g0TodfJiH_58XFq6h-eh2RnBsre_LpJvnBhQtdUbFRQMTK_6fpDIayXRn_quroo3eXAtH0WmhrT4Ub-j0Tp4Ekic9bcr51h6i2-TQ7LWELQxFbPboi5Z56kW4XDoLb-E6bwvm94dwuSAnuZfdX05iJNgg"
["recaptcha_response_field"] => string(14) "ysteaak places"
["agree"] => string(1) "1"
["_xfToken"] => string(0) ""
}
}Jake Bunce
Well-known member
Then you would have to setup different error handling for registration and login because both requests submit a password. I personally see no problem. The devs will decide if an exception is warranted.
Not really. You'd just have to strip post inputs for password and password_confirm when inserting things in the error log. No need to make it more complicated from that, just strip it in whatever function actually saves the logs to the database. No special handling is required beyond that.
If this ever poses an actual problem for you then you are employing the wrong admins.
As much as I wish we lived in a world where everyone completely trusted their administrators, and chose them very carefully, and that administrators would never "go rogue," history has shown that is certainly not the case. You're completely correct that no good admin would use this bug for malicious purposes, but unfortunately in the real world not every admin is a good admin, and that will never be the case. S* happens, sometimes people you trust with your life turn on you.
So yeah, the real problem is with bad admins, but since we don't live in a perfect world I still feel this needs addressing. It's so easy to fix anyways. I could do it in 5-10 minutes (with direct file edits).
Edit: Not on my dev machine right now but I'll go ahead come up for a fix for this as soon as I can.
Brandon Sheley
Well-known member
If there is ever a situation that the admins can see our passes in clear text, it's definitely a problem.
This should be fixed in the core, and not required a 3rd party addon IMHO.
This should be fixed in the core, and not required a 3rd party addon IMHO.
Waindigo got it!
Jon W
Well-known member
It is not just admins that are the worry... the password is being stored in plain text in the database. This could cause no end of trouble for the site owner and the affected users if the site was ever hacked. I have to agree that this is a serious bug.
Bug fix here:
http://xenforo.com/community/resources/smtp-registration-bug-fix-by-waindigo.1174/
Bug fix here:
http://xenforo.com/community/resources/smtp-registration-bug-fix-by-waindigo.1174/
Adam Howard
Well-known member
I can confirm this.
Both on a stock install and on a fully customized site.
Both on a stock install and on a fully customized site.
