cashewcodes9
commented
2 months ago I found the same issue and this need to be fixed ASAP as it is related to security breach.
Open Wittemberg opened 2 months ago
cashewcodes9
commented
2 months ago I found the same issue and this need to be fixed ASAP as it is related to security breach.
alextselegidis
commented
2 months ago Hello!
Thanks for sharing this.
This will only happen if the DEBUG mode is enabled, which is not related to production installations.
However we should in general avoid this, so I will change the debug output to not include passwords.
 |
Alex Tselegidis, Easy!Appointments Creator Need a customization? Get a free quote! |
cashewcodes9
commented
1 month ago The app is not in dubug mode and is running with clounron. The smtp mail setup is wrong and password is included in the error. Is there anything I can provide for further debugging? THanks.
rezzorix
commented
1 month ago Just adding to see if I understand this right:
That this scenario plays the following conditions must be met:
Do I understand this right?
edit: @cashewcodes9 I also believe the software is in debug mode by default. You would need to change it after setup.
alextselegidis
commented
1 month ago Hello!
Clarification: the app is not in debug mode by default. This is something you can configure in the root config.php
|
Alex Tselegidis, Easy!Appointments Creator Need a customization? Get a free quote! |
rezzorix
commented
1 month ago Hello!
Clarification: the app is not in debug mode by default. This is something you can configure in the root config.php
Sorry, yes I just checked my file and the debug was set to true in my config.php.... not sure where it came from, probably better for people to check their config.php if they like I did modified something and then forgot about. I have also checked the latest release, the config-sample.php is definitely not in debug mode.
elcid2012
commented
1 month ago I was able to replicate this behavior with DEBUG_MODE=FALSE
This would ideally be addressed with a proper way to configure email via the webapp's GUI, also related to #1587
The issue is due to no way to properly configure the email settings without modifying application/config/email.php, which is an ephemeral file at least in the Docker version, since easyappointments does not have a volume bind mount in which /var/www/html is saved on the host disk.
Since email is not properly configured, the webapp GUI throws an error and displays the email's contents, which includes the password.
Even more ideally, this would be addressed with a true password reset link rather than sending an email with a plaintext password.
I found a security flaw that I found bizarre.
I simulated losing my password... then I clicked on recover and it gave me an error, as I hadn't configured SMTP... In the error message that appeared on the screen, I had the new password... lol