Bug 1145304

Summary: All Passwords visible in UI when viewing page source
Product: Red Hat CloudForms Management Engine Reporter: Josh Carter <jocarter>
Component: UI - OPSAssignee: Martin Povolny <mpovolny>
Status: CLOSED ERRATA QA Contact: Dave Johnson <dajohnso>
Severity: high Docs Contact:
Priority: high    
Version: 5.2.0CC: apatters, bmoss, drieden, jprause, jrusnack, kseifried
Target Milestone: GAKeywords: Security
Target Release: 5.3.2   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: 5.3.2 Doc Type: Bug Fix
Doc Text:
Passwords that have been submitted to the CFME database are retrievable in the UI and are obfuscated with asterisks. However, when viewing the HTML source the passwords are visible in plain text. Passwords are no longer passed to HTML forms, and cannot be viewed in the source.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-14 19:42:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1146354    

Description Josh Carter 2014-09-22 19:18:13 UTC
Description of problem:

Passwords that have been submitted to the database are retrievable in the UI.  Viewing the page, the password field is obfuscated with asterisks.  But viewing the HTML source, the password is clearly visible.

This password should be an encrypted hash of the password to protect it once it has already been accepted by the DB.

Some users may have Admin permissions within CloudForms but they are not provided passwords to other sensitive applications such as vCenter and Active Directory/LDAP.  But a user is able to look at HTML source and get these passwords.


As a security measure in the UI, this password should be an encrypted hash. Or once the password has been submitted to the database, it should have a link to update the password (challenge old pw, new pw, new pw).  It should not have the password unencrypted in the HTML source.


Version-Release number of selected component (if applicable): 5.2.5


How reproducible: very


Steps to Reproduce:
log into CloudForms and navigate to Configure=>Configuration.  From left nav tree, select Settings and click on a server.  In the content window, click on the Authentication tab.  In the Role Settings area, click on the Bind Password field.  If using Chrome, right click and select Inspect Element (for other browsers, just view source and search for the Bind Password field).  The password is clearly visible in the HTML source.

Actual results:


Expected results:


Additional info:

Comment 4 Kurt Seifried 2014-09-25 04:57:26 UTC
This will need at least one CVE, ideally if we dentify all of these issues and fix them at the same time this iwll be a single CVE, otherwise we'll have multiple CVEs. Starting a email thread with all involved people.

Comment 7 Kurt Seifried 2014-10-09 19:41:47 UTC
Are any of these passwords shown to users that should not have access to them, e.g. are they only shown to the users that would be able to set them?

Comment 8 Martin Povolny 2014-10-12 21:20:23 UTC
As far as I see so far only shown to users that would be able to set them

Comment 11 Martin Povolny 2014-11-19 09:03:20 UTC
upstream fix merged

https://github.com/ManageIQ/manageiq/pull/926

commits:

67e4c94db6ac9b610806d1f58dd859323fb82640 Revert hiding of amazon key.
e030433ade9b918e4fa19857d8704aa637effe4d Add conditional placeholders to HTML password fields.
6105cd66ae8a0657797ec67140ac02dd41e08d7d Add conditional placeholders to HTML password fields.
10a5d72057f11b14eef2f3111c6e0e859b2a205b Do not pass infra provider passwords to HTML form.
3f8cf61f20cdfebcc1af7c38c7a74710c195a818 Do not pass Amazon secrets and LDAP password to HTML form.
5dbdfe34e355b2ee58f9ffc01e9739e0b6da032e Do not pass DB password to HTML form.
20383472c153a0e62f5963a62035394aa9bf86ce Do not pass SMTP password to HTML form.
394d07cecc41bf46c0c946076892daab587087b2 Cleanup email password partial.
fd3beebc0b84fe5d7aefcdbc017646c88ef607be Cleanup credentials for RHN partial.

Comment 12 Martin Povolny 2014-11-25 13:22:18 UTC
changes cherry-picked to production/5.3.z

commits:

52cec566394a4260ea34578fd149b4544811f5e2 Revert hiding of amazon key.
ccdc9b6a9ddb31c1cca8d3a2ecc7bf4b25b7807e Add conditional placeholders to HTML password fields.
415b70160416b4507f5a7e9628a2f3c3d2fafbcf Add conditional placeholders to HTML password fields.
ccd2853251d6c53977f1b9401b2c3ac1edb23fba Do not pass infra provider passwords to HTML form.
361a46a67ca9a73cfe4618273cda5870e5c1ab24 Do not pass Amazon secrets and LDAP password to HTML form.
6b2f08b8bd2896671dec142b9da3f77f06fc11d8 Do not pass DB password to HTML form.
bc53cbb4a44151998d96a5f0f6bde6f7fec63f2c Do not pass SMTP password to HTML form.
5f0827372827b3903e34c5c879c92141ed73a7b6 Cleanup email password partial.
20d9864581938b9ab35ac130f41745ac4aa7e704 Cleanup credentials for RHN partial.

Comment 14 Dave Johnson 2015-01-12 17:30:51 UTC
good 2 go in 5.3.2.06

Comment 16 errata-xmlrpc 2015-01-14 19:42:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0028.html