Author Topic: smartydebug -- possible security issue (Read 1919 times)

lcdweb · September 05, 2008, 11:26:33 am

J1.5.x + beta3

Not sure the best way to handle this, but --

I had debugging turned on and was using the smartyDebug to work on some templates. I noticed that it dumps the config array, which basically includes all the settings from the global settings pages. That includes some sensitive info like the SMTP username and password (unencrypted).

I know there's a warning about how debugging should be turned off for live sites, but I think that's still a risky security hole. I know some of the config stuff might be useful to have accessible in templates, but at least some of it needs to be unavailable all the time (I think).

I don't recall seeing all those details in v2.0, so I'm posting it here.

Donald Lobo · September 05, 2008, 04:00:31 pm

Can you file an issue for this. we should eliminate this information and other password information from the config file (like dsn's). I suspect we'll move mailer information to its own table and start reducing the size of the config file. We'll fix this for 2.2 (since its a db schema change)

lobo

lcdweb · September 06, 2008, 05:05:44 am

http://issues.civicrm.org/jira/browse/CRM-3506

CiviCRM Community Forums (archive)

News:

Author Topic: smartydebug -- possible security issue (Read 1919 times)

lcdweb

smartydebug -- possible security issue

Donald Lobo

Re: smartydebug -- possible security issue

lcdweb

Re: smartydebug -- possible security issue