Bug 572303 - Attempting to create a user following an expired admin session exposes username/passwd pair of new user in URL.
Summary: Attempting to create a user following an expired admin session exposes userna...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Core Server
Version: 1.3.1
Hardware: All
OS: Linux
low
high
Target Milestone: ---
: ---
Assignee: RHQ Project Maintainer
QA Contact: Mike Foley
URL:
Whiteboard:
Depends On:
Blocks: rhq4
TreeView+ depends on / blocked
 
Reported: 2010-03-10 19:40 UTC by Corey Welton
Modified: 2013-09-03 16:55 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-03 16:55:19 UTC
Embargoed:


Attachments (Terms of Use)

Description Corey Welton 2010-03-10 19:40:11 UTC
Description of problem:

If an admin user is creating a new user in RHQ, and for whatever reason has a session invalidated, upon logging back in, the username and passwd of the new user is exposed over the http URL.  

Version-Release number of selected component (if applicable):


How reproducible:
Difficult to reproduce the session invalidation, but if that is done, this can be easily replicated.  It can probably be reproduced by waiting for session timeout while on the user creation page, or perhaps via the method below.

Steps to Reproduce:
1.  Login as rhqadmin on two separate web sessions
2.  On the first session, begin creating a new user ("testuser"); populate all fields, but do not yet submit.
3.  On the second session, logout of RHQ.  This /may/ cause the first session to invalidate.  If it doesn't, you'll have to find another method to invalidate the session (delete cookies, wait for session timeout, etc).
4.  On the first session, hit the submit button to create new user.
5.  Noting that you have been logged out, log back in.
6.  Observe the resulting page and URL to which you have navigated
  
Actual results:
Upon logging back in, user is directed to a page akin to:
http://10.3.250.71:7080/admin/user/New.do?lastName=testuser&confirmPassword=mypassword&phoneNumber=&department=&newPassword=mypassword&name=testuser&emailAddress=testuser@redhat.com&enableLogin=yes&okassign.y=7&okassign.x=69&firstName=testuser 

In other words, the user/password pair is exposed in URL, easily visible to any onlooker and/or anyone sniffing the connection.

Expected results:
Shouldn't pass sensitive data in URLs.

Additional info:

Comment 1 Jeff Weiss 2010-03-10 20:00:33 UTC
Sniffing isn't an issue since the password has to be submitted somehow, and we support https to avoid plaintext.

But still a security issue because of the display in the url bar.

Comment 2 Charles Crouch 2010-06-02 12:41:11 UTC
Talked to mschoene and he agreed this is a low priority and something we should be able to address during the update to gwt.

Comment 3 Ian Springer 2011-02-11 22:34:59 UTC
This should no longer be an issue in coregui.

Comment 4 Mike Foley 2011-06-13 15:49:03 UTC
passwords are visually obfuscated, not passed in URLs.  used firebug to try and see the password, but could not

Comment 5 Heiko W. Rupp 2013-09-03 16:55:19 UTC
Bulk closing of old issues that are in VERIFIED state.


Note You need to log in before you can comment on or make changes to this bug.