Bug 1715725 - Sending credentials in query string logs them in ovirt-request-logs
Summary: Sending credentials in query string logs them in ovirt-request-logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.3.0
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ovirt-4.4.0
: ---
Assignee: Ori Liel
QA Contact: Guilherme Santos
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-31 05:32 UTC by Germano Veit Michel
Modified: 2020-08-04 13:19 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-04 13:19:31 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4178001 0 Troubleshoot None User credentials exposed in ovirt-requests-log 2019-05-31 05:33:23 UTC
Red Hat Product Errata RHSA-2020:3247 0 None None None 2020-08-04 13:19:46 UTC
oVirt gerrit 102339 0 'None' MERGED restapi: don't log credentials from URL line 2021-01-18 11:36:50 UTC

Description Germano Veit Michel 2019-05-31 05:32:38 UTC 
Description of problem:

When using the REST API, if a user mistakenly sends the login credentials in the query string (not in the request body), the user/password is logged on RHV-M logs:
- /var/log/httpd/ovirt-requests-log
- /var/log/httpd/ssl_access_log
- /var/log/httpd/ssl_request_log

Anything we can do in the default config to prevent this?

Version-Release number of selected component (if applicable):
rhvm-4.3.3.7-0.1.el7.noarch
httpd-2.4.6-89.el7_6.x86_64

Steps to Reproduce:
A. In query string (password logged)
$ curl --cacert /etc/pki/ovirt-engine/apache-ca.pem \
  -X POST \
  -H 'Content-Type:application/x-www-form-urlencoded' \
  -H 'Accept: application/json' \
  'https://<RHV-M FQDN>/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=redhat&scope=ovirt-app-api'

[29/May/2019:10:59:20 +1000] 10.64.24.30 "Correlation-Id: -" "Duration: 97090us" "POST /ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=redhat&scope=ovirt-app-api HTTP/1.1" 310


B. In body (password not logged)
# curl --cacert /etc/pki/ovirt-engine/apache-ca.pem \
  -X POST \
  -H 'Content-Type:application/x-www-form-urlencoded' \
  -H 'Accept: application/json' \
  -d 'grant_type=password&scope=ovirt-appapi&username=admin%40internal&password=redhat' \
  'https://<RHV-M FQDN>/ovirt-engine/sso/oauth/token'

[29/May/2019:10:59:33 +1000] 10.64.24.30 "Correlation-Id: -" "Duration: 89662us" "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 172
Comment 2 Daniel Gur 2019-08-28 13:11:53 UTC 
sync2jira
Comment 3 Daniel Gur 2019-08-28 13:16:06 UTC 
sync2jira
Comment 4 RHV bug bot 2019-12-13 13:13:23 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 5 RHV bug bot 2019-12-20 17:43:24 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 6 RHV bug bot 2020-01-08 14:46:30 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 7 RHV bug bot 2020-01-08 15:14:01 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 8 RHV bug bot 2020-01-24 19:48:16 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 9 Guilherme Santos 2020-02-17 15:47:39 UTC 
Verified on:
httpd-2.4.6-90.el7.x86_64
ovirt-engine-4.4.0-0.20.master.el7.noarch

Steps:
1. # curl -X GET -H 'All-content: true' -H "Accept: application/json" --insecure https://<engine-fqdn>/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=<password>&scope=ovirt-app-api
2. Checked /var/log/httpd/ssl_access_log; /var/log/httpd/ovirt-requests-log; /var/log/httpd/ssl_request_log

Results
No password logged
Comment 12 errata-xmlrpc 2020-08-04 13:19:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3247
Note You need to log in before you can comment on or make changes to this bug.