Bug 782442
| Summary: | mod_authz_ldap logs the plain text password from AuthzLDAPBindPassword in Apache's log files when it is invalid. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Aleksander Adamowski <bugs-redhat> |
| Component: | mod_authz_ldap | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0 | CC: | jlieskov, ksrot |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mod_authz_ldap-0.26-16.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-10-18 11:44:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Red Hat Security Response Team would not consider this issue to be a security flaw. Though it is definitely a bug, the Apache httpd web server's log files are not accessible by unprivileged user. A privileged user can view the particular password directly. When the particular password would leak due improper Apache httpd web server log files archive / backup process, then it is question of deficiency in the way archives are created. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. Thanks for the report. I don't see a good reason for the password to be in there, so we could remove it. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1389.html |
Description of problem: mod_authz_ldap logs the plain text password from AuthzLDAPBindPassword in Apache's log files when it is invalid. Version-Release number of selected component (if applicable): # rpm -q mod_authz_ldap-0.26-15.el6.x86_64 mod_authz_ldap-0.26-15.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Configure LDAP authentication using mod_authz_ldap: LoadModule authz_ldap_module modules/mod_authz_ldap.so <IfModule mod_authz_ldap.c> <Location /> AuthType Basic AuthName "Supply login/password for LDAP authentication" AuthzLDAPMethod "ldap" AuthzLDAPServer "ldap.example.com" AuthzLDAPUserBase "dc=example,dc=com" AuthzLDAPUserKey "uid" AuthzLDAPUserScope "base" AuthzLDAPBindDN "uid=someaccount,dc=example,dc=com" AuthzLDAPBindPassword "somepassword" require valid-user </Location> </IfModule> 2. Set the password for uid=someaccount,dc=example,dc=com to be something different than "somepassword" 3. Try authenticating using HTTP Basic Auth, giving any login/password Actual results: cannot bind to [2503] LDAP Server as uid=someaccount,dc=example,dc=com/somepassword: 49 Expected results: Plain text passwords should never be logged in Apache's log files. Logs are often shipped to other, less secure hosts, archived etc. Logging passwords significantly increases risks of their leak to unauthorized parties. For diagnostic purposes, it would be acceptable if logging plain passwords would be configurable using a dedicated configuration option, which would be documented with adequate warnings against its indiscriminate use.