Description of problem: Passwords that have been submitted to the database are retrievable in the UI. Viewing the page, the password field is obfuscated with asterisks. But viewing the HTML source, the password is clearly visible. This password should be an encrypted hash of the password to protect it once it has already been accepted by the DB. Some users may have Admin permissions within CloudForms but they are not provided passwords to other sensitive applications such as vCenter and Active Directory/LDAP. But a user is able to look at HTML source and get these passwords. As a security measure in the UI, this password should be an encrypted hash. Or once the password has been submitted to the database, it should have a link to update the password (challenge old pw, new pw, new pw). It should not have the password unencrypted in the HTML source. Version-Release number of selected component (if applicable): 5.2.5 How reproducible: very Steps to Reproduce: log into CloudForms and navigate to Configure=>Configuration. From left nav tree, select Settings and click on a server. In the content window, click on the Authentication tab. In the Role Settings area, click on the Bind Password field. If using Chrome, right click and select Inspect Element (for other browsers, just view source and search for the Bind Password field). The password is clearly visible in the HTML source. Actual results: Expected results: Additional info:
This will need at least one CVE, ideally if we dentify all of these issues and fix them at the same time this iwll be a single CVE, otherwise we'll have multiple CVEs. Starting a email thread with all involved people.
Are any of these passwords shown to users that should not have access to them, e.g. are they only shown to the users that would be able to set them?
As far as I see so far only shown to users that would be able to set them
upstream fix merged https://github.com/ManageIQ/manageiq/pull/926 commits: 67e4c94db6ac9b610806d1f58dd859323fb82640 Revert hiding of amazon key. e030433ade9b918e4fa19857d8704aa637effe4d Add conditional placeholders to HTML password fields. 6105cd66ae8a0657797ec67140ac02dd41e08d7d Add conditional placeholders to HTML password fields. 10a5d72057f11b14eef2f3111c6e0e859b2a205b Do not pass infra provider passwords to HTML form. 3f8cf61f20cdfebcc1af7c38c7a74710c195a818 Do not pass Amazon secrets and LDAP password to HTML form. 5dbdfe34e355b2ee58f9ffc01e9739e0b6da032e Do not pass DB password to HTML form. 20383472c153a0e62f5963a62035394aa9bf86ce Do not pass SMTP password to HTML form. 394d07cecc41bf46c0c946076892daab587087b2 Cleanup email password partial. fd3beebc0b84fe5d7aefcdbc017646c88ef607be Cleanup credentials for RHN partial.
changes cherry-picked to production/5.3.z commits: 52cec566394a4260ea34578fd149b4544811f5e2 Revert hiding of amazon key. ccdc9b6a9ddb31c1cca8d3a2ecc7bf4b25b7807e Add conditional placeholders to HTML password fields. 415b70160416b4507f5a7e9628a2f3c3d2fafbcf Add conditional placeholders to HTML password fields. ccd2853251d6c53977f1b9401b2c3ac1edb23fba Do not pass infra provider passwords to HTML form. 361a46a67ca9a73cfe4618273cda5870e5c1ab24 Do not pass Amazon secrets and LDAP password to HTML form. 6b2f08b8bd2896671dec142b9da3f77f06fc11d8 Do not pass DB password to HTML form. bc53cbb4a44151998d96a5f0f6bde6f7fec63f2c Do not pass SMTP password to HTML form. 5f0827372827b3903e34c5c879c92141ed73a7b6 Cleanup email password partial. 20d9864581938b9ab35ac130f41745ac4aa7e704 Cleanup credentials for RHN partial.
good 2 go in 5.3.2.06
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0028.html