CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • SMTP server password stored in clear text in database
Pages: [1]

Author Topic: SMTP server password stored in clear text in database  (Read 1560 times)

hlevinson

  • I post occasionally
  • **
  • Posts: 53
  • Karma: 3
SMTP server password stored in clear text in database
August 27, 2009, 02:12:13 pm
Primarily this is an FYI, in case people haven't come across this:

The CiviCRM SMTP server password is stored in clear text in the database.

When I started learning CiviCRM a couple of months ago, I experimented with different mail settings. I went back and forth between the SMTP and Sendmail options. (I'm using Sendmail now in my dev setup.)

I had to grep my MySQL db dump today, to remind myself which settings I used a while back. When I did that, I saw that the dump file had my SMTP password in there.

Unfortunately this password is used for a real, production SMTP server I control. Even worse, it's a password I use for other important purposes! Anyone who can read the dump file now has my password, which obviously I need to go change in the real world.

So:

1. Be careful which SMTP settings you use in CiviCRM, as your password can be exposed to anyone with access to the db or the db dump files (if unencrypted as they often are).

2. Consider this a feature request for password encryption in CiviCRM.

Harry

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: SMTP server password stored in clear text in database
August 27, 2009, 02:40:24 pm

Can you please file an issue for this. We'll fix in a future release (maybe 3.1)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

hlevinson

  • I post occasionally
  • **
  • Posts: 53
  • Karma: 3
Re: SMTP server password stored in clear text in database
August 27, 2009, 02:50:49 pm
Added as issue CRM-4967

http://issues.civicrm.org/jira/browse/CRM-4967

Harry
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • SMTP server password stored in clear text in database

This forum was archived on 2017-11-26.