Closed
Bug 391519
Opened 17 years ago
Closed 14 years ago
Perl errors can display the password during login
Categories
(Bugzilla :: User Accounts, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: m-hans, Unassigned)
References
()
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Build Identifier: Bugzilla Version 2.22.2 I worked at the University of Kansas. We are forming a Quality Assurance group in the Informatic Technology area. We will be using Bugzilla. Another group is already using Bugzila. The person in charge of giving us access to Bugzilla gave my supervision access. The access worked. So I tried to get onto Bugzilla. I was not given access. When I tried to signed on I recieved this System message. Bugzilla::Auth::Verify::LDAP::Authenticate('Bugzilla::Auth::Verify::'LDAP','m-hans', 'my password XXXXX') called. There were two more messages that have my password in them: 'insert_new_user' and 'Verify LDAP'. I cannot reduplicate the situation because I was set up and got into Bugzilla. I think I should informed you of the situation. No one should have the password displayed on a system message. You can contact me at m-hans@ku.edu for further information. I think I gave all the information that was displayed to me. Thanks Michael Harmon Reproducible: Couldn't Reproduce Steps to Reproduce: 1. 2. 3.
Comment 1•17 years ago
|
||
So what you mean is that this occurs the very first time when you have no account yet, and that you don't get this error anymore when trying to log in again later?
Version: unspecified → 2.22.2
Comment 2•17 years ago
|
||
(In reply to comment #0) > I was not given access. When I tried to signed on I recieved this System > message. To be clear, what do you mean by "System message"? Did you get it in your web browser, in your web server log or anywhere else?
Comment 3•17 years ago
|
||
I think what we need to do here is disable CGI::Carp's fatalsToBrowser during any call which might include someone's password. To be clear, this situation should be relatively rare, which is why I'm marking this as minor. Something would have to actually "die" or "confess" with a backtrace that involved the password.
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Summary: Software error - display the password → Perl errors can display the password during login
Updated•17 years ago
|
Assignee: installation → user-accounts
Component: Installation & Upgrading → User Accounts
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
Updated•16 years ago
|
Group: bugzilla-security → webtools-security
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
Comment 4•14 years ago
|
||
In Bugzilla 3.0, I re-wrote the Auth system to pass around hashrefs instead of directly passing around the username and password as strings. That means that if there's a crash in this code, it will simply display something like HASH(0x1298fade) instead of the password. So that makes this WFM as of Bugzilla 3.0 or later.
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•