Details

      Description

      I'm implementing ejabberd on my company. I'll use mysql database and must be compliant with some security guidelines. One of them is that I can't have plaintext password anywhere.

      So, I enabled on ejabberd.cfg:

      {auth_method, odbc}

      .

      {auth_password_format, scram}

      .

      However registering users on commandline:

      1. ejabberdctl register someuser somedomain.com somepassword

      When I make a select * from users I get all passwords in plaintext. This is a security issue because EJAB-1196 says it works with ODBC, trough I'm marking it as critical.

      Thanks,

      Wagner Sartori Junior

        Issue Links

          Activity

          No work has yet been logged on this issue.

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development