Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308897 - Bugzilla: cleartext password in URL after reset and login
Summary: Bugzilla: cleartext password in URL after reset and login
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Bugzilla (show other bugs)
Hardware: All All
: Highest critical (vote)
Assignee: Bugzilla Admins
URL:
Whiteboard: Password disclosure in log data
Keywords:
Depends on:
Blocks: 213782
  Show dependency tree
 
Reported: 2010-03-10 20:55 UTC by Mansour Moufid
Modified: 2011-10-30 23:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mansour Moufid 2010-03-10 20:55:19 UTC 
I just reset my bugs.gentoo.org password and after submitting a new password and logging in, I noticed the current page's URL was:

<https://bugs.gentoo.org/token.cgi?t=rD1epTwL74&a=chgpw&password=*****&matchpassword=*****&GoAheadAndLogIn=1>

where "*****" is my password in cleartext.

I realize the connection is over SSL, but isn't this a bug?

I apologize if this has been brought up before, I didn't find anything in a search.

Reproducible: Didn't try

Steps to Reproduce:
1. Follow link in reset-password email.
2. Enter new password.
3. Click "Login" link at bottom of page.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-03-11 08:03:01 UTC 
That password turning up there is extremely concerning.

The token.cgi page should be doing a POST, not a GET. Looking in the logs, I can see it does a POST the first time, but then there seems to be a redirect afterwards.

mkanat/upstream: potential "minor" sec vuln, in that this is disclosed in the URLs and so ends up in a lot of logs.

Mansour: can you tell me which of the following was actually manually initiated by you, and which was redirects? (I'm pretty sure the first two, but I don't know after that).

__IP__ - - [10/Mar/2010:20:40:27 +0000] "GET /token.cgi?t=__TOKEN__&a=cfmpw HTTP/1.1" 200 1634 "-" "__UA__"
__IP__ - - [10/Mar/2010:20:40:44 +0000] "POST /token.cgi HTTP/1.1" 200 1506 "-" "__UA__"
__IP__ - - [10/Mar/2010:20:40:49 +0000] "GET /token.cgi?t=__TOKEN__&a=chgpw&password=__PASSWORD__&matchpassword=__PASSWORD__&GoAheadAndLogIn=1 HTTP/1.1" 200 1976 "-" "__UA__"
__IP__ - - [10/Mar/2010:20:41:00 +0000] "POST /token.cgi HTTP/1.1" 200 2004 "-" "__UA__"
__IP__ - - [10/Mar/2010:20:41:30 +0000] "GET /token.cgi?t=__TOKEN__&a=chgpw&password=__PASSWORD__&matchpassword=__PASSWORD__&GoAheadAndLogIn=1&GoAheadAndLogIn=1 HTTP/1.1" 200 2004 "-" "__UA__"
__IP__ - - [10/Mar/2010:20:42:40 +0000] "GET /token.cgi?t=__TOKEN__&a=chgpw&password=__PASSWORD__&matchpassword=__PASSWORD__&GoAheadAndLogIn=1&GoAheadAndLogIn=1 HTTP/1.1" 200 2004 "-" "__UA__"
Comment 2 Mansour Moufid 2010-03-11 22:43:35 UTC 
(In reply to comment #1)
> Mansour: can you tell me which of the following was actually manually initiated
> by you, and which was redirects? (I'm pretty sure the first two, but I don't
> know after that).
> 
> __IP__ - - [10/Mar/2010:20:40:27 +0000] "GET /token.cgi?t=__TOKEN__&a=cfmpw
> HTTP/1.1" 200 1634 "-" "__UA__"
> __IP__ - - [10/Mar/2010:20:40:44 +0000] "POST /token.cgi HTTP/1.1" 200 1506 "-"
> "__UA__"
> __IP__ - - [10/Mar/2010:20:40:49 +0000] "GET
> /token.cgi?t=__TOKEN__&a=chgpw&password=__PASSWORD__&matchpassword=__PASSWORD__&GoAheadAndLogIn=1
> HTTP/1.1" 200 1976 "-" "__UA__"
> __IP__ - - [10/Mar/2010:20:41:00 +0000] "POST /token.cgi HTTP/1.1" 200 2004 "-"
> "__UA__"
> __IP__ - - [10/Mar/2010:20:41:30 +0000] "GET
> /token.cgi?t=__TOKEN__&a=chgpw&password=__PASSWORD__&matchpassword=__PASSWORD__&GoAheadAndLogIn=1&GoAheadAndLogIn=1
> HTTP/1.1" 200 2004 "-" "__UA__"
> __IP__ - - [10/Mar/2010:20:42:40 +0000] "GET
> /token.cgi?t=__TOKEN__&a=chgpw&password=__PASSWORD__&matchpassword=__PASSWORD__&GoAheadAndLogIn=1&GoAheadAndLogIn=1
> HTTP/1.1" 200 2004 "-" "__UA__"
> 

After the password reset, I'm assuming I was automatically logged in, because I remember seeing an invalid token error after clicking "Login" (after the second time -- hadn't read the error at first). But there was still a "Login" link at the bottom right, as opposed to "Log out" as there is now. Maybe a browser caching issue?

So then I refreshed the page, and I'm guessing that's when the form data was re-submitted as a GET. Actually, this may all be Firefox's fault... Those GET lines were probably me hitting Login again and again. I think that explains the "&GoAheadAndLogIn=1&GoAheadAndLogIn=1". (At that point I gave up and went straight to bugs.gentoo.org, only to see that I was already logged in.)

Maybe I missed a redirect page somewhere (browser blocks those)?
Comment 3 Frédéric Buclin 2011-03-07 16:40:04 UTC 
I doubt this is still an issue in Bugzilla 3 or 4. Now that you upgraded to 4.0, you should check if that's still a problem. But I don't think so.
Comment 4 Christian Ruppert (idl0r) gentoo-dev 2011-03-07 16:47:20 UTC 
(In reply to comment #3)
> I doubt this is still an issue in Bugzilla 3 or 4. Now that you upgraded to
> 4.0, you should check if that's still a problem. But I don't think so.

Yup, it has been fixed in 3.x already. I just tested it again, still fixed :)