Perl errors can display the password during login




User Accounts
10 years ago
8 years ago


(Reporter: Michael Harmon, Unassigned)






10 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Build Identifier: Bugzilla Version 2.22.2 

I worked at the University of Kansas. We are forming a Quality Assurance group in the Informatic Technology area. We will be using Bugzilla. Another group is already using Bugzila. The person in charge of giving us access to Bugzilla gave my supervision access. The access worked. So I tried to get onto Bugzilla. I was not given access. When I tried to signed on I recieved this System message.
Bugzilla::Auth::Verify::LDAP::Authenticate('Bugzilla::Auth::Verify::'LDAP','m-hans', 'my password XXXXX') called.
There were two more messages that have my password in them: 'insert_new_user' and 'Verify LDAP'.

I cannot reduplicate the situation because I was set up and got into Bugzilla.

I think I should informed you of the situation. 
No one should have the password displayed on a system message.

You can contact me at for  further information. I think I gave all the information that was displayed to me.


Michael Harmon        

Reproducible: Couldn't Reproduce

Steps to Reproduce:

Comment 1

10 years ago
So what you mean is that this occurs the very first time when you have no account yet, and that you don't get this error anymore when trying to log in again later?
Version: unspecified → 2.22.2

Comment 2

10 years ago
(In reply to comment #0)
> I was not given access. When I tried to signed on I recieved this System
> message.

To be clear, what do you mean by "System message"? Did you get it in your web browser, in your web server log or anywhere else?

Comment 3

10 years ago
I think what we need to do here is disable CGI::Carp's fatalsToBrowser during any call which might include someone's password.

To be clear, this situation should be relatively rare, which is why I'm marking this as minor. Something would have to actually "die" or "confess" with a backtrace that involved the password.
Severity: normal → minor
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Summary: Software error - display the password → Perl errors can display the password during login


10 years ago
Assignee: installation → user-accounts
Component: Installation & Upgrading → User Accounts
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security

Comment 4

8 years ago
In Bugzilla 3.0, I re-wrote the Auth system to pass around hashrefs instead of directly passing around the username and password as strings. That means that if there's a crash in this code, it will simply display something like HASH(0x1298fade) instead of the password.

So that makes this WFM as of Bugzilla 3.0 or later.
Group: bugzilla-security
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.