Fixed Got one serious bug. Check it out.

[Slink]

If some one setup smtp wrong.
And when some one register onto that forum. His all details(Username, pass, email, time setting) will be clearly visible in servererrorlogs.

I tested it several time and all time I got this.

Fix this.
Thank You.
Regards,
Slink

 

[Jake Bunce]

Failed SMTP connections can cause server errors which are logged. That's true. But the logs are only accessible to the admin. I don't see a problem with this.

 

[Jeremy P]

Failed SMTP connections can cause server errors which are logged. That's true. But the logs are only accessible to the admin. I don't see a problem with this.

Where else are the admins capable of viewing user passwords? Note also that when you change a users password via the admin panel, the value is not recorded in the admin log. Sure, if you trust your admins and have SMTP setup properly, this isn't really an issue. However that will not be the case for everybody, and if for nothing else but consistency, passwords should be blanked from the error log.

 

[ENF]

For reference, if the mail connection for sending fails, this shows up in the bottom of the error message when a user registers:

array(3) {
  ["url"] => string(36) "http://someotherwebsite.jkl/register/register"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(13) {
    ["username"] => string(7) "Someusername"
    ["email"] => string(19) "someonesemail@somemailhost.com"
    ["password"] => string(9) "Apassword"
    ["password_confirm"] => string(9) "Apassword"
    ["dob_month"] => string(1) "6"
    ["dob_day"] => string(1) "1"
    ["dob_year"] => string(4) "1984"
    ["gender"] => string(6) "male"
    ["timezone"] => string(16) "America/New_York"
    ["recaptcha_challenge_field"] => string(185) "03AHJ_VusdWbYKxYhIECpyPIwqjk-xJ-g0TodfJiH_58XFq6h-eh2RnBsre_LpJvnBhQtdUbFRQMTK_6fpDIayXRn_quroo3eXAtH0WmhrT4Ub-j0Tp4Ekic9bcr51h6i2-TQ7LWELQxFbPboi5Z56kW4XDoLb-E6bwvm94dwuSAnuZfdX05iJNgg"
    ["recaptcha_response_field"] => string(14) "ysteaak places"
    ["agree"] => string(1) "1"
    ["_xfToken"] => string(0) ""
  }
}

 

[Jake Bunce]

Then you would have to setup different error handling for registration and login because both requests submit a password. I personally see no problem. The devs will decide if an exception is warranted.

 

[Slink]

This is a serious problem. Because, Admin can see other users password. Sometimes they put there mail password and forum login password same. So, this is a serious Problem.
If the password not visible in clear-text then it will be better.

 

[Jeremy P]

Then you would have to setup different error handling for registration and login because both requests submit a password. I personally see no problem. The devs will decide if an exception is warranted.

Not really. You'd just have to strip post inputs for password and password_confirm when inserting things in the error log. No need to make it more complicated from that, just strip it in whatever function actually saves the logs to the database. No special handling is required beyond that.

 

[Chris D]

This is a serious problem. Because, Admin can see other users password. Sometimes they put there mail password and forum login password same. So, this is a serious Problem.
If the password not visible in clear-text then it will be better.

If this ever poses an actual problem for you then you are employing the wrong admins.

 

[Jeremy P]

If this ever poses an actual problem for you then you are employing the wrong admins.

As much as I wish we lived in a world where everyone completely trusted their administrators, and chose them very carefully, and that administrators would never "go rogue," history has shown that is certainly not the case. You're completely correct that no good admin would use this bug for malicious purposes, but unfortunately in the real world not every admin is a good admin, and that will never be the case. S* happens, sometimes people you trust with your life turn on you.

So yeah, the real problem is with bad admins, but since we don't live in a perfect world I still feel this needs addressing. It's so easy to fix anyways. I could do it in 5-10 minutes (with direct file edits).

Edit: Not on my dev machine right now but I'll go ahead come up for a fix for this as soon as I can.

 

[Brandon Sheley]

If there is ever a situation that the admins can see our passes in clear text, it's definitely a problem.
This should be fixed in the core, and not required a 3rd party addon IMHO.

 

[Jeremy P]

Just to note, I won't be releasing the fix as an addon. If somebody else wants to, feel free. I am just going to provide a code edit to show how easily this can be addressed and to save the devs time should they (hopefully) decide that this needs addressing.

Waindigo got it!

 

[Jon W]

It is not just admins that are the worry... the password is being stored in plain text in the database. This could cause no end of trouble for the site owner and the affected users if the site was ever hacked. I have to agree that this is a serious bug.

Bug fix here:
http://xenforo.com/community/resources/smtp-registration-bug-fix-by-waindigo.1174/

 

[Slink]

Thanks waindigo for the fix. Thanks a lot again.

 

[Adam Howard]

I can confirm this.

Both on a stock install and on a fully customized site.

 

[Mike]

There were some cases where we prevented this information from being logged (like in admin logs), but I've made sure to filter it out everywhere now.