#13 Admin password visuable!

open
nobody
None
5
2007-02-06
2007-02-06
Harold
No

Hi,

Just wanted to inform you of this (I will create request on sourgeforge the next time.. my account is not yet
verified).

When starting jmanage from commandline the admin password is visuable when doing an 'ps':

tomcat@as41:/etc/init.d$ ps -ef|grep java
tomcat 32076 32073 1 09:27 pts/0 00:00:16 /usr/local/java/bin/java -ea -classpath ../lib/xml-apis.jar:../lib/xercesImpl.jar:../lib/standard.jar:../lib/org.mortbay.jetty.jar:../lib/mail.jar:../lib/jstl.jar:../lib/jmxremote_optional.jar:../lib/jmanage-utils.jar:../lib/jmanage-tools.jar:../lib/jmanage-testapp.jar:../lib/jmanage-startup.jar:../lib/jmanage-services.jar:../lib/jmanage-management.jar:../lib/jmanage-crypto.jar:../lib/jmanage-connector.jar:../lib/jmanage-config.jar:../lib/jmanage-cmdui.jar:../lib/jmanage-auth.jar:../lib/jmanage-alerts.jar:../lib/jdom.jar:../lib/javax77.jar:../lib/javax.servlet.jar:../lib/jasper-runtime.jar:../lib/jasper-compiler.jar:../lib/hsqldb-1.8.0.5.jar:../lib/commons-modeler.jar:../lib/commons-logging.jar:../lib/commons-beanutils.jar:../lib/ant.jar:../lib/activation.jar: -Djava.security.policy=java.policy -Djmanage.root=.. -Djava.util.logging.config.file=../config/logging.properties -Djava.security.auth.login.config=../config/jmanage-auth.conf -Dorg.jmanage.core.management.data.formatConfig=../config/html-data-format.properties org.jmanage.webui.Startup jm@n@ge

This is an security risk because anybody with access to the box where jmanage is running can thus find the admin password
and start messing around in jmanage!!!

Please make it possible to start the application without supplying the admin password.

Discussion


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks