I think this is a major security flaw that you have to fix right away. Even though $user->pass is passed through md5, you can still use a rainbow table to decrypt it. $user->pass is something that should never have to be viewed in debugging information, so it should be removed.

To reproduce, visit http://drupalforfirebug.chapterthree.com/tests/users , and click on the Users tab.....

Comments

populist’s picture

populist commented

This is a great point Rob and it should get resolved tomorrow. I was giving a presentation showcasing this at a local user group and in the middle I was showing my user account and was like.. oh wow,.. there is my md5() password. Glad this is being recorded.

To be fair, anyone with the Execute PHP can get this information with a simple db_query() call back, but no reason to make it any easier and blocking will allow you to permission Execute PHP to the trusted people and Firebug debug to the mostly trusted people.

robloach’s picture

robloach
he/him
commented

Haha, seems like you dug yourself into a hole during the presentation. That happens a lot when presenting developer talks. I remember I was giving a presentation about the Bot module, and realized that you had to type in your password in order to correctly authenticate with it. Luckily I changed the password to "password" before I give my real password out to everyone during the presentation ;-) .

I only had a quick chance to try Drupal for Firebug out last week, next week, I'll have a closer look at the code and see if I can do up a quick patch for ya.

populist’s picture

populist commented
Status: Active » Fixed

I added a change that removes the $user->pass value from being displayed. If there ever is a need to see this data, you can easily implement a firep() callback to see it.

robloach’s picture

robloach
he/him
commented

Great work, Matt! Thanks a lot.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.