[Bug 645835] New: obs stores the users password in the session leaking it to the database and sending it via mail
https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c0 Summary: obs stores the users password in the session leaking it to the database and sending it via mail Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: All OS/Version: All Status: NEW Severity: Major Priority: P5 - None Component: BuildService AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: winter@pre-sense.de QAContact: adrian@novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceweasel/3.5.13 (like Firefox/3.5.13) OBS stores the users password unencrypted in the session store leaking the password into the database. Even worse, the password is sent to all the people listed in exception_recipients via mail. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c
wei wang
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c1
Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c2
--- Comment #2 from Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c3
--- Comment #3 from Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c4
--- Comment #4 from Justus Winter
exception_recipients is for debugging purposes only, so yes we could strip it more but this is not for production purposes.
The password should be crypted with the secret.key which gets at least generated on the appliance by default.
The database is the storage place of the password, do I miss a problem here ? Yes.
The main problem is that the OBS stores the users password in the rails session which uses the database as persistent storage thus leaking sensitive information (the users password in clear text) to the disk. The fact that OBS sends the password via smtp is just the icing... src/webui/app/controllers/user_controller.rb/do_login() contains: session[:passwd] = params[:password] Fire up your database client of choice, do a 'select data from sessions limit 1;' and debase64 the resulting string:
base64.decodestring(s) '\x04\x08{\t:\nlogin"\ttest:\x0bpasswd"%KBTSg2mvj6i3mWHR535frfrKgacEAPoa:\x10_csrf_token"1U08qqWTbXYshm1Yk61nDsvyEekaKJ4R+WYMZHDZtyFY="\nflashIC:\'ActionController::Flash::FlashHash{\x00\x06:\n@used{\x00'
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c5
--- Comment #5 from Adrian Schröter
If you have access to the database, you have also plenty other security problems, including a way to sniff the password at any other layer.
I don't mind to store it with debase64, but that is not really giving more security. I really hope that you change your mind. Storing user passwords without hashing
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c6
--- Comment #6 from Justus Winter
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c7
--- Comment #7 from Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c8
--- Comment #8 from Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c9
--- Comment #9 from Thomas Biege
I don't mind to hash it (it should be actually already md5, which is of course not secure, by default). It is salted and hashed before being stored by the api backend in the users
Btw, this is a non issue for api.opensuse.org, because the api does not see the password at all. It is a non issue for the api backend because the api backend handles the users
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c10
--- Comment #10 from Justus Winter
People who use the same account on many instances have in any case anyway security problems so that is not arguemtn to me. No, you are wrong on this one. You yourself are using the same password for the whole opensuse/novell infrastructure.
OBS in default setup (like shipped on the appliance) is indeed not ready for production for several reasons and we warn about that. Yes, I wanted to have spent time on that since quite some time, but other stuff was alsways more urgent.
change_password() must get fixed indeed. It was never used so far on any of our productive instances. But I suppose the LDAP code contributors may use it meanwhile. change_password() in itself isn't the problem. Storing the users password in the session is.
we accept of course patches ;) I started working on one but since I am not familiar with rails and have never written a single line of ruby I failed and decided to report this bug without a
(In reply to comment #8) patch instead. (In reply to comment #9)
I see no high risk (CVSSv2 base score = 1.7 DREAD = 4.6) for storing the user passwords in clear text. I think that's a rather reckless attitude for someone being in the novell security team. Especially since this bug jeopardizes the whole opensuse/novell infrastructure.
But it should not be in the Cookie. The Cookie is only base64 encoded and transferred over the network. It is not stored in the cookie but in the session dictionary which is backed up by a database.
I am kind of speechless that we're even having this discussion. There's this very simple rule, you don't store users passwords without salting and hashing them. Ever. In fact it would be nice to overwrite the plain text password as soon as you're done hashing it (which is kind of hard to do in languages where strings are immutable). But writing them to a non volatile memory is a big no-no... And a quick grep revealed this in src/api/app/controllers/statistics_controller.rb: # create new entry - we do this directly per sql statement, because # that's much faster than through ActiveRecord objects DownloadStat.connection.insert "\ INSERT INTO download_stats ( \ `db_project_id`, `db_package_id`, `repository_id`, `architecture_id`,\ `filename`, `filetype`, `version`, `release`,\ `counted_at`, `created_at`, `count`\ ) VALUES(\ '#{@@project_id}', '#{@@package_id}', '#{@@repo_id}', '#{@@arch_id}',\ '#{@@count[:filename]}', '#{@@count[:filetype]}',\ '#{@@count[:version]}', '#{@@count[:release]}',\ '#{@@count[:counted_at]}', '#{@@count[:created_at]}',\ '#{text}'\ )", "Creating DownloadStat entry: " See, people are bypassing the orm for various reasons, like for performance. I am not familiar with ruby so I could be mistaken but this kind of looks like variable expansion inside the string without any kind of escaping. I am not sure if this example is exploitable at all, and even if it is, it cannot be used to access the webuis session table, but this is exactly the kind of mistake that can be exploited to extract information from a database. And if this database contains unhashed passwords that's a big disaster. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c11
--- Comment #11 from Adrian Schröter
People who use the same account on many instances have in any case anyway security problems so that is not arguemtn to me. No, you are wrong on this one. You yourself are using the same password for the whole opensuse/novell infrastructure.
the whole opensuse/novell infrastructure is using iChain, which is a proxy in front of all servers. It does the authentification and all servers behind are trust in it, but they don't see the password at all. That is also the reason why we did not spend much effort yet on the other authentification handling mechanisms. LDAP was developed by Intel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c12
--- Comment #12 from Sascha Peilicke
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c13
--- Comment #13 from Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=645835
https://bugzilla.novell.com/show_bug.cgi?id=645835#c14
Adrian Schröter
participants (1)
-
bugzilla_noreply@novell.com