Bug 490624
| Summary: | API traceback emails for auth.login contain password in cleartext | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Eric Williams <eric.williams> |
| Component: | API | Assignee: | Brad Buckingham <bbuckingham> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Sayli Karmarkar <skarmark> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 520 | CC: | cperry, iannis, mzazrivec, xdmoon |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sat530 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-10 19:55:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 456996 | ||
The Perl stack still recognizes this. It should not. This (and any similar URL) should return a 404 Not Found. Examples: <FQDN>//rpc/api <FQDN>/rpc//api <FQDN>//rpc//api But basically, we have something in the perl code that still thinks this is real: The following exception occurred while executing this request: POST /rpc//api HTTP/1.1 (from browser) /rpc//api (from Apache) Date: Tue Mar 17 12:45:56 2009 Headers: Connection: TE, close Content-Length: 216 Content-Type: text/xml Host: test10-64.rhndev.redhat.com TE: deflate,gzip;q=0.3 User-Agent: libwww-perl/5.805 RPC Request: auth.login(bdperkin, ########) User Information: (not logged in) Error notes: (none) Initial Request: Yes Error message: Can't locate Sniglets/API.pm in @INC (@INC contains: /var/www/lib /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib64/perl5/site_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.1/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.1/x86_64-! linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /etc/rhn/satellite-httpd) at /usr/lib/perl5/site_perl/5.8.5/PXT/ApacheHandler.pm line 520. ===================================================================== Nothing should be using Sniglets/API.pm anymore, so we need to remove that code path, wherever it is. I have run several tests using the Satellite 5.3 httpd configuration and I have not been able to reproduce the behavior described. (Note: I was able to reproduce it using Satellite 5.2). One of the changes introduced in Satellite 5.3 is to move away from the existing satellite-httpd to the standard httpd configuration with the addition of the configs needed by Satellite (i.e. /etc/httpd/conf.d -> zz-spacewalk-server.conf & zz-spacewalk-www.conf). With this configuration, I was able to verify scenarios such as the following without generating any traceback emails: bash-3.2$ python Python 2.4.3 (#1, Sep 17 2008, 16:04:01) [GCC 4.1.2 20071124 (Red Hat 4.1.2-41)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> >>> >>> import xmlrpclib >>> >>> rhn=xmlrpclib.Server('http://<server>//rpc/api',verbose=0) >>> key=rhn.auth.login('admin','password') >>> key '365x6c87f63c547c8f6577dc5d5485716f7e' >>> >>> >>> rhn.auth.logout(key) 1 >>> >>> rhn=xmlrpclib.Server('http://<server>/rpc//api',verbose=0) >>> key=rhn.auth.login('admin','password') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/usr/lib/python2.4/xmlrpclib.py", line 1096, in __call__ return self.__send(self.__name, args) File "/usr/lib/python2.4/xmlrpclib.py", line 1383, in __request verbose=self.__verbose File "/usr/lib/python2.4/xmlrpclib.py", line 1137, in request headers xmlrpclib.ProtocolError: <ProtocolError for <server>/rpc//api: 404 Not Found> >>> key '365x6c87f63c547c8f6577dc5d5485716f7e' >>> >>> >>> rhn=xmlrpclib.Server('http://<server>//rpc//api',verbose=0) >>> key=rhn.auth.login('admin','password') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/usr/lib/python2.4/xmlrpclib.py", line 1096, in __call__ return self.__send(self.__name, args) File "/usr/lib/python2.4/xmlrpclib.py", line 1383, in __request verbose=self.__verbose File "/usr/lib/python2.4/xmlrpclib.py", line 1137, in request headers xmlrpclib.ProtocolError: <ProtocolError for <server>//rpc//api: 404 Not Found> >>> >>> rhn=xmlrpclib.Server('http://<server>/something/rpc/api',verbose=0) >>> key=rhn.auth.login('admin','password') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/usr/lib/python2.4/xmlrpclib.py", line 1096, in __call__ return self.__send(self.__name, args) File "/usr/lib/python2.4/xmlrpclib.py", line 1383, in __request verbose=self.__verbose File "/usr/lib/python2.4/xmlrpclib.py", line 1137, in request headers xmlrpclib.ProtocolError: <ProtocolError for <server>/something/rpc/api: 404 Not Found> >>> >>> >>> rhn=xmlrpclib.Server('http://<server>///rpc/api',verbose=0) >>> key=rhn.auth.login('admin','redhat') >>> key '366x111f292fecffccb926636dd39c56b27b' >>> Moving the BZ to ON_QA to allow for some additional testing. verified. Verified in stage -> RELEASE_PENDING An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html |
Description of problem: If an error occurs during an XMLRPC API login, the traceback emails sent by the satellite server contain the username and password used in cleartext. Version-Release number of selected component (if applicable): Satellite 5.2 How reproducible: Always Steps to Reproduce: 1. [python snippet] def create_session(URL, username, password, verbose=0): """ creates the RHN session, returns a session_key as a string """ rhn = xmlrpclib.Server(URL,verbose=verbose) session_key = rhn.auth.login(username, password) rhn.sysver = rhn.api.systemVersion() rhn.apiver = rhn.api.getVersion() return rhn, session_key session_key = create_session("https://dhcp-1-221.fab.redhat.com//rpc/api","satadmin","password") (note extra "/" at beginning of path component) 2. Check email Traceback email contains the following: Headers: Content-Length: 218 Content-Type: text/xml Host: dhcp-1-221.fab.redhat.com User-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com) RPC Request: auth.login(satadmin, password) Actual results: Admin password has been sent via Email to the configured administrator email address/mailing list. Expected results: The password in auth.login should be masked out or removed. Additional info: If users are testing scripts and encounter an error when creating the session, their password will be sent to the administrator. This doesn't seem to be the desired outcome.