Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SMTP Passwords in Cleartext #1790

Closed
benichmt1 opened this issue Jul 31, 2020 · 0 comments · Fixed by #1938
Closed

SMTP Passwords in Cleartext #1790

benichmt1 opened this issue Jul 31, 2020 · 0 comments · Fixed by #1938
Labels
Security

Comments

@benichmt1
Copy link

When I was setting up SMTP, I noticed that the SMTP password was accessible in the clear. I see that this was discussed in a previous issue to change it from type=password to type=text: #954

Screen Shot 2020-07-30 at 4 47 45 PM

I would be concerned from a security perspective if someone got access to my BTCPay Server web portal and used my GSuite / Office365 credentials within to pivot further.

Suggestion

Here's an example of how Grafana handles the same thing:

Screen Shot 2020-07-30 at 4 32 23 PM

You're still able to update and test a new password, but you're not able to read what the previous password was unless you actually look in the database. Essentially the password field in Grafana is populated with a placeholder if you go to view it within the web UI.

In our BTCPay scenario, I suppose someone with access could just add their SSH key but I would hope that a security-conscious administrator would harden or restrict SSH access before going live to production.
NicolasDorier added a commit to NicolasDorier/btcpayserver that referenced this issue Oct 5, 2020
@NicolasDorier
Do not show password in clear text in email configuration (Fix btcpay…
f0f7ac8 
…server#1790)
@NicolasDorier NicolasDorier mentioned this issue Oct 5, 2020
Merged
NicolasDorier added a commit to NicolasDorier/btcpayserver that referenced this issue Oct 5, 2020
@NicolasDorier
Do not show password in clear text in email configuration (Fix btcpay…
60cadb8 
…server#1790)
NicolasDorier added a commit that referenced this issue Oct 8, 2020
@NicolasDorier
Merge pull request #1938 from NicolasDorier/email-pwd
d9d2c7d 
Do not show password in clear text in email configuration (Fix #1790)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not show password in clear text in email configuration (Fix #1790) NicolasDorier/btcpayserver
2 participants
@benichmt1 @NicolasDorier