Closed
Bug 1443458
Opened 7 years ago
Closed 7 years ago
Default simpleSAMLphp Password within use on https://www.mozdatacollective.com/simplesaml/
Categories
(Data & BI Services Team :: DI: Other, task)
Data & BI Services Team
DI: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: griffin.francis.1993, Assigned: hnair)
Details
(Keywords: reporter-external, sec-low, wsec-authentication)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Steps to reproduce:
Hello.
Whilst authenticating via Github on https://www.mozdatacollective.com/simplesaml/ I noticed that there is simplesaml installed. Whilst clicking on the authentication tab and then Login as Administrator I am informed that "The password in the configuration (auth.adminpassword) is not changed from the default value. Please edit the configuration file."
Whilst the risk here is low as the Application requires you to change the password from the default value before you can perform certain actions such as viewing the PHPinfo file. You can still view modules installed on the host via https://www.mozdatacollective.com/simplesaml/module.php/modinfo/ and also some sign in information situated at https://www.mozdatacollective.com/simplesaml/module.php/core/authenticate.php?as=default-sp
Actual results:
Default password is currently set for SimpleSAML.
Expected results:
Default credentials should not be set as admin/123.
Comment 1•7 years ago
|
||
Thanks for the report. I created a servicenow ticket as I am not sure who runs this website: https://mozilla.service-now.com/sp?sys_id=ca7b14b3db601f00809e17e15b961969&view=sp&id=ticket&table=u_feedback
Assignee: nobody → infra
Group: websites-security → mozilla-employee-confidential
Status: UNCONFIRMED → NEW
Component: Other → Infrastructure: Other
Ever confirmed: true
Keywords: sec-low,
wsec-authentication
Product: Websites → Infrastructure & Operations
QA Contact: cshields
Updated•7 years ago
|
Assignee: infra → server-ops-webops
Component: Infrastructure: Other → WebOps: Other
QA Contact: cshields → smani
Updated•7 years ago
|
Group: mozilla-employee-confidential → websites-security
Comment 2•7 years ago
|
||
Talked with cshields about this, we think this is operated by Vyas, now CC'd and NI'd for comment.
Flags: needinfo?(vswaminathan)
Updated•7 years ago
|
Assignee: server-ops-webops → spatil
Group: metrics-private
Component: WebOps: Other → DI: Other
Product: Infrastructure & Operations → Data & BI Services Team
QA Contact: smani → mpressman
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6344]
Version: unspecified → other
Updated•7 years ago
|
Assignee: spatil → hnair
Comment 3•7 years ago
|
||
This issue was brought to the vendor's attention, and they changed the default password:
"Nothing significant can be gleaned from the simplesaml page. The actual configuration that allows for sso at Mozilla is only accessible directly on the server (ssh). That being said, we went ahead and changed the password for the Administrator. Thank you bringing this to our attention."
Flags: needinfo?(vswaminathan)
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Flags: sec-bounty?
Updated•7 years ago
|
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
Comment 4•7 years ago
|
||
This web property is not an eligible bounty property. However, we this helped us reduce risk for this web property and have awarded a hall of fame mention at our next update interval (they are updated quarterly). Thanks Griffin!
Updated•6 years ago
|
Group: websites-security
Comment 5•6 years ago
|
||
cvalaas/harish: We see no further reason to keep this confidential and it is our practice to make our bounty related bugs public unless there is some open risk we have yet to mitigate or redact. In this case, I think we're good to open this up to the public, but I don't possess the BMO permissions to lift it. Could you help with that?
Flags: needinfo?(hnair)
Flags: needinfo?(cvalaas)
Updated•6 years ago
|
Group: metrics-private
Flags: needinfo?(hnair)
Flags: needinfo?(cvalaas)
Reporter | ||
Comment 6•5 years ago
|
||
Hi April. Could you please update the HOF to include me for this reported issue?
Flags: needinfo?(april)
Comment 7•5 years ago
•
|
||
Yes, I will take care of it. Please do not use the needinfo flag for this purpose in the future.
Flags: needinfo?(april)
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•