When a stack trace includes Glorp methods and an instance variable which is
a Glorp.Login, the username and password will be printed as plain text.
This is a **severe** security bug which compromises all Glorp based
applications which dump stack traces when an error occurs. No more need to
install trojans and keyboard loggers, just have a look at the error logs...
The offending method is Glorp.Login>>printOn: of course. Anybody running
Glorp based applications may want to patch it as soon as possible.
I have spotted this in VisualWorks 7.7, but it is probably the same in
earlier versions and in Glorp versions for other platforms.
Could someone who is subscribed to the appropriate Glorp, Squeak, Dolphin
etc. mailing lists please send a warning to all potentially affected users
of Glorp? I am not sure if stack traces of other Smalltalks would print the
passwords, but better to raise a false alarm than ruining the reputation of
Smalltalk.
Cincom might also want to inform their commercial customers who are not
subscribed to vwnc.
Best regards,
Joachim Geidel
PS: If you want to sniff passwords, here's the pattern to look for:
----------------------------------------------------------------------
Glorp.VWDatabaseAccessor>>executeCommand:inDBSession:
Receiver:
a Glorp.VWDatabaseAccessor
Instance Variables:
connection = a PostgreSQLEXDIConnection
currentLogin = a Login(a Glorp.PostgreSQLPlatform, 'username',
'password', 'store.cincomsmalltalk.com:5432_store_public', '')
logging = false
reusePreparedStatements = true
deniedCommands = nil
mutex = a Semaphore[0]
dependents = nil
driverSession = nil
preparedStatements = a Glorp.CacheManager
Arguments:
aCommand = a Glorp.QuerySelectCommand(a SimpleQuery for
StoreVersionlessPackage)
aSession = a PostgreSQLEXDISession
Temporaries:
answerStream = nil
cursor = nil
Context PC = 3
_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Locked
