Perl errors can display the password during login

RESOLVED WORKSFORME

Status

()

Bugzilla
User Accounts
--
minor
RESOLVED WORKSFORME
10 years ago
8 years ago

People

(Reporter: Michael Harmon, Unassigned)

Tracking

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Build Identifier: Bugzilla Version 2.22.2 

I worked at the University of Kansas. We are forming a Quality Assurance group in the Informatic Technology area. We will be using Bugzilla. Another group is already using Bugzila. The person in charge of giving us access to Bugzilla gave my supervision access. The access worked. So I tried to get onto Bugzilla. I was not given access. When I tried to signed on I recieved this System message.
Bugzilla::Auth::Verify::LDAP::Authenticate('Bugzilla::Auth::Verify::'LDAP','m-hans', 'my password XXXXX') called.
There were two more messages that have my password in them: 'insert_new_user' and 'Verify LDAP'.

I cannot reduplicate the situation because I was set up and got into Bugzilla.

I think I should informed you of the situation. 
No one should have the password displayed on a system message.

You can contact me at m-hans@ku.edu for  further information. I think I gave all the information that was displayed to me.

Thanks 

Michael Harmon        

Reproducible: Couldn't Reproduce

Steps to Reproduce:
1.
2.
3.

Comment 1

10 years ago
So what you mean is that this occurs the very first time when you have no account yet, and that you don't get this error anymore when trying to log in again later?
Version: unspecified → 2.22.2

Comment 2

10 years ago
(In reply to comment #0)
> I was not given access. When I tried to signed on I recieved this System
> message.

To be clear, what do you mean by "System message"? Did you get it in your web browser, in your web server log or anywhere else?

Comment 3

10 years ago
I think what we need to do here is disable CGI::Carp's fatalsToBrowser during any call which might include someone's password.

To be clear, this situation should be relatively rare, which is why I'm marking this as minor. Something would have to actually "die" or "confess" with a backtrace that involved the password.
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Summary: Software error - display the password → Perl errors can display the password during login

Updated

10 years ago
Assignee: installation → user-accounts
Component: Installation & Upgrading → User Accounts
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security

Comment 4

8 years ago
In Bugzilla 3.0, I re-wrote the Auth system to pass around hashrefs instead of directly passing around the username and password as strings. That means that if there's a crash in this code, it will simply display something like HASH(0x1298fade) instead of the password.

So that makes this WFM as of Bugzilla 3.0 or later.
Group: bugzilla-security
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.