Closed Bug 1443458 Opened 7 years ago Closed 7 years ago

Default simpleSAMLphp Password within use on https://www.mozdatacollective.com/simplesaml/

Categories

(Data & BI Services Team :: DI: Other, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: griffin.francis.1993, Assigned: hnair)

Details

(Keywords: reporter-external, sec-low, wsec-authentication)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 Steps to reproduce: Hello. Whilst authenticating via Github on https://www.mozdatacollective.com/simplesaml/ I noticed that there is simplesaml installed. Whilst clicking on the authentication tab and then Login as Administrator I am informed that "The password in the configuration (auth.adminpassword) is not changed from the default value. Please edit the configuration file." Whilst the risk here is low as the Application requires you to change the password from the default value before you can perform certain actions such as viewing the PHPinfo file. You can still view modules installed on the host via https://www.mozdatacollective.com/simplesaml/module.php/modinfo/ and also some sign in information situated at https://www.mozdatacollective.com/simplesaml/module.php/core/authenticate.php?as=default-sp Actual results: Default password is currently set for SimpleSAML. Expected results: Default credentials should not be set as admin/123.
Thanks for the report. I created a servicenow ticket as I am not sure who runs this website: https://mozilla.service-now.com/sp?sys_id=ca7b14b3db601f00809e17e15b961969&view=sp&id=ticket&table=u_feedback
Assignee: nobody → infra
Group: websites-security → mozilla-employee-confidential
Status: UNCONFIRMED → NEW
Component: Other → Infrastructure: Other
Ever confirmed: true
Product: Websites → Infrastructure & Operations
QA Contact: cshields
Assignee: infra → server-ops-webops
Component: Infrastructure: Other → WebOps: Other
QA Contact: cshields → smani
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6344]
Group: mozilla-employee-confidential → websites-security
Talked with cshields about this, we think this is operated by Vyas, now CC'd and NI'd for comment.
Flags: needinfo?(vswaminathan)
Assignee: server-ops-webops → spatil
Group: metrics-private
Component: WebOps: Other → DI: Other
Product: Infrastructure & Operations → Data & BI Services Team
QA Contact: smani → mpressman
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6344]
Version: unspecified → other
Assignee: spatil → hnair
This issue was brought to the vendor's attention, and they changed the default password: "Nothing significant can be gleaned from the simplesaml page. The actual configuration that allows for sso at Mozilla is only accessible directly on the server (ssh). That being said, we went ahead and changed the password for the Administrator. Thank you bringing this to our attention."
Flags: needinfo?(vswaminathan)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
This web property is not an eligible bounty property. However, we this helped us reduce risk for this web property and have awarded a hall of fame mention at our next update interval (they are updated quarterly). Thanks Griffin!
Group: websites-security
cvalaas/harish: We see no further reason to keep this confidential and it is our practice to make our bounty related bugs public unless there is some open risk we have yet to mitigate or redact. In this case, I think we're good to open this up to the public, but I don't possess the BMO permissions to lift it. Could you help with that?
Flags: needinfo?(hnair)
Flags: needinfo?(cvalaas)
Group: metrics-private
Flags: needinfo?(hnair)
Flags: needinfo?(cvalaas)

Hi April. Could you please update the HOF to include me for this reported issue?

Flags: needinfo?(april)

Yes, I will take care of it. Please do not use the needinfo flag for this purpose in the future.

Flags: needinfo?(april)
You need to log in before you can comment on or make changes to this bug.