Closed Bug 391519 Opened 17 years ago Closed 14 years ago

Perl errors can display the password during login

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.22.2
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: m-hans, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Build Identifier: Bugzilla Version 2.22.2 

I worked at the University of Kansas. We are forming a Quality Assurance group in the Informatic Technology area. We will be using Bugzilla. Another group is already using Bugzila. The person in charge of giving us access to Bugzilla gave my supervision access. The access worked. So I tried to get onto Bugzilla. I was not given access. When I tried to signed on I recieved this System message.
Bugzilla::Auth::Verify::LDAP::Authenticate('Bugzilla::Auth::Verify::'LDAP','m-hans', 'my password XXXXX') called.
There were two more messages that have my password in them: 'insert_new_user' and 'Verify LDAP'.

I cannot reduplicate the situation because I was set up and got into Bugzilla.

I think I should informed you of the situation. 
No one should have the password displayed on a system message.

You can contact me at m-hans@ku.edu for  further information. I think I gave all the information that was displayed to me.

Thanks 

Michael Harmon        

Reproducible: Couldn't Reproduce

Steps to Reproduce:
1.
2.
3.
So what you mean is that this occurs the very first time when you have no account yet, and that you don't get this error anymore when trying to log in again later?
Version: unspecified → 2.22.2
(In reply to comment #0)
> I was not given access. When I tried to signed on I recieved this System
> message.

To be clear, what do you mean by "System message"? Did you get it in your web browser, in your web server log or anywhere else?
I think what we need to do here is disable CGI::Carp's fatalsToBrowser during any call which might include someone's password.

To be clear, this situation should be relatively rare, which is why I'm marking this as minor. Something would have to actually "die" or "confess" with a backtrace that involved the password.
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Summary: Software error - display the password → Perl errors can display the password during login
Assignee: installation → user-accounts
Component: Installation & Upgrading → User Accounts
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
In Bugzilla 3.0, I re-wrote the Auth system to pass around hashrefs instead of directly passing around the username and password as strings. That means that if there's a crash in this code, it will simply display something like HASH(0x1298fade) instead of the password.

So that makes this WFM as of Bugzilla 3.0 or later.
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.