Bug 1336538 - LDAP bind username and password in url
Summary: LDAP bind username and password in url
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.6.0
Assignee: Martin Hradil
QA Contact: amogh
URL:
Whiteboard: ldap:ui
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-16 19:06 UTC by amogh
Modified: 2016-08-24 14:07 UTC (History)
10 users (show)

Fixed In Version: 5.6.0.8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-29 16:02:46 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1348 0 normal SHIPPED_LIVE CFME 5.6.0 bug fixes and enhancement update 2016-06-29 18:50:04 UTC

Description amogh 2016-05-16 19:06:20 UTC 
Description of problem:
When the system is binding with CloudForms we are seeing that the password is being logged in plain text.

Version-Release number of selected component (if applicable):
5.6.0.6-beta2.5.20160511140943_ff75fb2

How reproducible:
always

Steps to Reproduce:
1. configure the authentication mode to LDAP
2. Specify BaseDN, Bind DN and Bind Password click validate and save.
3. Observe that in apache/ssl_access.log the password in logged in plain text

Actual results:
Bind dn Password logged as plain text in apache logs.

Expected results:
Password needs to be filtered/masked in the logs.

Additional info:

/var/www/miq/vmdb/log/apache/ssl_access.log:

./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:37 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:47 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:47 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:48 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:48 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:49 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:49 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:50 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:50 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:51 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [16/May/2016:14:58:52 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 200 97
./apache/ssl_request.log:[16/May/2016:14:58:37 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT>HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:47 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:47 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:48 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:48 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:49 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:49 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:50 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:50 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:51 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./apache/ssl_request.log:[16/May/2016:14:58:52 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN-TEXT> HTTP/1.1" 97
./preconfigure-logs/evm.log:[----] I, [2016-05-11T20:18:21.174536 #12260:7af990]  INFO -- :     :bind_pwd:
Comment 2 Joe Vlcek 2016-05-16 19:38:37 UTC 
It appears the UI is generating the URL with an unencrypted password
Comment 4 Martin Hradil 2016-05-20 08:49:51 UTC 
https://github.com/ManageIQ/manageiq/pull/8833
Comment 5 amogh 2016-05-31 15:15:32 UTC 
verified in 5.6.0.8-rc1.20160524155303_f2a5a50. Issue not reproducible.

[root@host-192-168-55-6 log]# grep -i bind_pwd apache/ssl_access.log 
[root@host-192-168-55-6 log]#


Additional logs attached.
Comment 6 amogh 2016-05-31 15:15:33 UTC 
verified in 5.6.0.8-rc1.20160524155303_f2a5a50. Issue not reproducible.

[root@host-192-168-55-6 log]# grep -i bind_pwd apache/ssl_access.log 
[root@host-192-168-55-6 log]#


Additional logs attached.
Comment 10 errata-xmlrpc 2016-06-29 16:02:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1348
Note You need to log in before you can comment on or make changes to this bug.