Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#13 Admin password visuable!

open
nobody
None
5
2007-02-06
2007-02-06
Harold
No

Hi,

Just wanted to inform you of this (I will create request on sourgeforge the next time.. my account is not yet
verified).

When starting jmanage from commandline the admin password is visuable when doing an 'ps':

tomcat@as41:/etc/init.d$ ps -ef|grep java
tomcat 32076 32073 1 09:27 pts/0 00:00:16 /usr/local/java/bin/java -ea -classpath ../lib/xml-apis.jar:../lib/xercesImpl.jar:../lib/standard.jar:../lib/org.mortbay.jetty.jar:../lib/mail.jar:../lib/jstl.jar:../lib/jmxremote_optional.jar:../lib/jmanage-utils.jar:../lib/jmanage-tools.jar:../lib/jmanage-testapp.jar:../lib/jmanage-startup.jar:../lib/jmanage-services.jar:../lib/jmanage-management.jar:../lib/jmanage-crypto.jar:../lib/jmanage-connector.jar:../lib/jmanage-config.jar:../lib/jmanage-cmdui.jar:../lib/jmanage-auth.jar:../lib/jmanage-alerts.jar:../lib/jdom.jar:../lib/javax77.jar:../lib/javax.servlet.jar:../lib/jasper-runtime.jar:../lib/jasper-compiler.jar:../lib/hsqldb-1.8.0.5.jar:../lib/commons-modeler.jar:../lib/commons-logging.jar:../lib/commons-beanutils.jar:../lib/ant.jar:../lib/activation.jar: -Djava.security.policy=java.policy -Djmanage.root=.. -Djava.util.logging.config.file=../config/logging.properties -Djava.security.auth.login.config=../config/jmanage-auth.conf -Dorg.jmanage.core.management.data.formatConfig=../config/html-data-format.properties org.jmanage.webui.Startup jm@n@ge

This is an security risk because anybody with access to the box where jmanage is running can thus find the admin password
and start messing around in jmanage!!!

Please make it possible to start the application without supplying the admin password.

Discussion