#9499 closed defect (invalid)
The libamqp.c file has a plaintext password, and the amqp network protocol has security problems.
Reported by: | wujian | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | avformat |
Version: | unspecified | Keywords: | libamqp |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description (last modified by )
Summary of the bug:
How to reproduce:
if (!password || *password == '\0') password = "guest"; password_decoded = ff_urldecode(password, 0); if (!password_decoded) return AVERROR(ENOMEM); user = credentials; if (*user == '\0') user = "guest";
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
Change History (7)
comment:1 by , 3 years ago
Description: | modified (diff) |
---|
follow-up: 3 comment:2 by , 3 years ago
comment:3 by , 3 years ago
Replying to Marton Balint:
How is this a security issue?
If user and password is null, they will use the clear text "guest" as user and pasword to amqp_login.
follow-up: 5 comment:4 by , 3 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
That is intentional, guest credentials are used because the protocol provides no means to skip authentication.
comment:5 by , 3 years ago
Resolution: | invalid → fixed |
---|
Replying to Marton Balint:
That is intentional, guest credentials are used because the protocol provides no means to skip authentication.
thank you, i get it
comment:6 by , 2 years ago
Keywords: | libamqp added; amqp network protocol security problems removed |
---|
comment:7 by , 2 years ago
Resolution: | fixed → invalid |
---|
Note:
See TracTickets
for help on using tickets.
How is this a security issue?