786159 - Vulnerabilities in Password mangament by the web application

Status: RESOLVED DUPLICATE of bug 298539

(Bugzilla :: User Accounts, defect)

Description

[ursbobby19]

https://bugzilla.mozilla.org web app is storing password in browser memory in clear text which can be accessed from browser memory even after we logout and close the tab on which bugzilla was running. 

Though you are using https for transmission as username and password is stored in clear text in process memory which can be accessed and without any efforts it can be used by the attacker.
This bug might exist on your other applications which require login, please check.
If we can dump process memory with tools like userdump then we can access these strings by running strings on the process memory dump OR tool which will grab the passwords from memory:
Bugzilla_login=XXXXXX@gmail.com&Bugzilla_password=XXXXXXX&GoAheadAndLogIn=Log+in 
XXXXXX@gmail.com XXXXXXX Log+in
(username and password are masked)
Any malicious attacker can run scripts or use some malicious code to access the password by writing simple tools or scripts. You might have to nullify the strings used for passwords and anything related to it.

Comment 1

[Reed Loden [:reed]]

How would a *web application* protect against a system memory dump problem? Do you have some type of working PoC that demonstrates this?

Comment 2

[:glob ✱]

this looks like a duplicate of bug 298539.

Comment 3

[ursbobby19]

We can login and logout of bugzilla then you can use userdump(Microsoft) tool to dump the memory and run strings on it and check the output for passwords. 

If you can do the same on facebook or yahoo, you will not get anything related to credentials. You can nullify the respective strings post authentication phase so that the password which is stored in memory will be overwritten with junk characters. 

I cannot access your code to see what variable is causing the issue but you can actually look at your code and fix it. 

Thanks,
Prakash.

Comment 4

[Reed Loden [:reed]]

(In reply to ursbobby19 from comment #3)
> We can login and logout of bugzilla then you can use userdump(Microsoft)
> tool to dump the memory and run strings on it and check the output for
> passwords. 

Just to be clear, you're referring to a user's machine, not the server running Bugzilla, correct?

> If you can do the same on facebook or yahoo, you will not get anything
> related to credentials. You can nullify the respective strings post
> authentication phase so that the password which is stored in memory will be
> overwritten with junk characters. 

That doesn't make any sense... They both do a POST with credentials. There's nothing different about what we're doing there. There's no way for us to "nullify" stuff from a POST that has already happened.

> I cannot access your code to see what variable is causing the issue but you
> can actually look at your code and fix it. 

Bugzilla is open source. Feel free to take a look at the code yourself and see. https://bzr.mozilla.org/bugzilla/trunk/files

Opening this bug up, as I don't see it as something that needs to be security-sensitive.

Comment 5

[ursbobby19]

1. yes i am referring to client not server
2. I would request you to check before you conclude it doesn't make any sense, it can actally.
3.I cannot audit all your source code but you can try to nullify the variables in auth module. Mostly this fixes the issue for .NET based codes. Not sure whether the same works for you.

Its up to you on how you see this issue.

Comment 6

[:glob ✱]

a web page directly can't influence how a browser allocates or frees memory, so this isn't an issue from bugzilla's perspective.

from a browser point of view, this isn't a security problem either, see bug 298539 for more information.