Bug 1951353
| Summary: | [Ceph-Dashboard][Security]While changing the password in Dashboard, username and Password is clearly visible in developer tools | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | skanta | ||||||||||
| Component: | Ceph-Dashboard | Assignee: | Nizamudeen <nia> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Sunil Angadi <sangadi> | ||||||||||
| Severity: | high | Docs Contact: | Anjana Suparna Sriram <asriram> | ||||||||||
| Priority: | medium | ||||||||||||
| Version: | 5.0 | CC: | ceph-eng-bugs, epuertat, sangadi, tserlin, vereddy | ||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||
| Target Release: | 5.0 | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | ceph-16.2.0-15.el8cp | Doc Type: | No Doc Update | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2021-08-30 08:29:49 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 1773603 [details]
Password clear text
Created attachment 1773604 [details]
Change Password in clear text
Created attachment 1773605 [details]
Username and Password in clear text
That should be fine. My suggestion is login credentials should not visible in the network. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3294 |
Created attachment 1773602 [details] Change password in clear text Description of problem: Password is clearly visible as clear text in developer tools. It is not encrypted Version-Release number of selected component (if applicable): ceph version 16.2.0-1.el8cp (a330ff4fed793ca0b5d3b248c395a06e432b51c4) pacific (stable) How reproducible: Steps to Reproduce: 1. Configure the cluster 2. Login to the cluster dashboard in FIrefox browser. https://<cluster IP>:8443 3. Navigate to the developer tool.(Open Menu-> Web Developer-> Toggle tools) A saperate "Developer Tools" window open 4. select the Network Monitor option by selecting the Network 5.Now go to main page and change the password. 6. After the successful change of password in Developer Tools windows we can notice that the clear text of username and passwords in the network monitor. Actual results: Username password are sending in the URL string {"POST":{"scheme":"https","host":"10.8.128.45:8443","filename":"/api/user/validate_password","query":{"password":"admin456","username":"admin123"},"remote":{"Address":"10.8.128.45:8443"}}} Expected results: It should be in the request headers/form/body in encrypted form Additional info: