Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Any user can obtain all passwords via field editor

Description

1. Go to the browser to access ZK client
2. Log in as any User
3. Open up User window and locate an Admin record
4. Go to password field, right click and select Value Preferences or Editor
5. You will see the password exposed

Screen shot and patch of WStringEditor.java attached.

Credit of exposing this bug goes to Edilson Neto of Adempiere LBR project(Localization Brazil).
Edilson has also informed the Adempiere project and a tracker is also raised there by Ricardo Santana.

Environment

iDempiere server ZK client, all adempiere versions

Attachments

3

Activity

Show:

Carlos Ruiz May 14, 2013 at 4:49 AM

Thanks Anthony, I reviewed the patch but seems the problem is bigger and obscured fields require different way, when editable they can show the clear value, but when not editable they must avoid showing it (and at this moment is showing it even directly not opening the editor).

Anthony Sossah May 13, 2013 at 8:43 PM

ok, i have added obscured fields checking to the patch.
My bitbucket account is xolali

Carlos Ruiz May 10, 2013 at 8:39 PM

Thanks a lot Anthony, it solved the problem.

Found also a similar issue with obscured fields (like credit card on payment window).

Regards,

Carlos Ruiz

RedhuanO May 9, 2013 at 9:10 PM

I noticed also that the User field is labeled as 'Usuario'.

Fixed

Details

Assignee

Reporter

Components

Affects versions

Priority

Created May 9, 2013 at 8:11 PM
Updated May 14, 2013 at 5:06 AM
Resolved May 14, 2013 at 5:04 AM