[Bug 645835] New: obs stores the users password in the session leaking it to the database and sending it via mail

older
[Bug 737522] New: Wireshark hangs...

bugzilla_noreply＠novell.com

12 Oct 2010 12 Oct '10

16:10

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c0 Summary: obs stores the users password in the session leaking it to the database and sending it via mail Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: All OS/Version: All Status: NEW Severity: Major Priority: P5 - None Component: BuildService AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: winter@pre-sense.de QAContact: adrian@novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceweasel/3.5.13 (like Firefox/3.5.13) OBS stores the users password unencrypted in the session store leaking the password into the database. Even worse, the password is sent to all the people listed in exception_recipients via mail. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

13 Oct 13 Oct

01:05

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c wei wang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wewang@novell.com AssignedTo|bnc-team-screening@forge.pr |adrian@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

07:11

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c1 Adrian Schröter changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |winter@pre-sense.de --- Comment #1 from Adrian Schröter 2010-10-13 07:11:08 UTC --- exception_recipients is for debugging purposes only, so yes we could strip it more but this is not for production purposes. The password should be crypted with the secret.key which gets at least generated on the appliance by default. The database is the storage place of the password, do I miss a problem here ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

07:13

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c2 --- Comment #2 from Adrian Schröter 2010-10-13 07:13:11 UTC --- Btw, open security relevant issues are that * We do not use SSL by default * We do not protect backend ports by default that is the reason why we warn to use the OBS appliance with its default configuration in untrusted networks (on the Appliance wiki page). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15 Oct 15 Oct

08:16

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c3 --- Comment #3 from Thomas Biege 2010-10-15 08:16:42 UTC --- http://guides.rubyonrails.org/security.html#logging describes how to omit sensitive information, like passwords, in log files. IMO passwords are not relevant for debugging. There is no reason to store the password in the cookie, it is even dangerous. After logging in the user gets a session cookie, nothing else is needed. Mandatory SSL usage is - of course - a desirable security feature. (It can be considered as de facto standard for critical application.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:17

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c Thomas Biege changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |security -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

19 Oct 19 Oct

09:48

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c4 --- Comment #4 from Justus Winter 2010-10-19 09:48:38 UTC --- (In reply to comment #1)

...

exception_recipients is for debugging purposes only, so yes we could strip it more but this is not for production purposes.

The password should be crypted with the secret.key which gets at least generated on the appliance by default.

The database is the storage place of the password, do I miss a problem here ? Yes.

The main problem is that the OBS stores the users password in the rails session which uses the database as persistent storage thus leaking sensitive information (the users password in clear text) to the disk. The fact that OBS sends the password via smtp is just the icing... src/webui/app/controllers/user_controller.rb/do_login() contains: session[:passwd] = params[:password] Fire up your database client of choice, do a 'select data from sessions limit 1;' and debase64 the resulting string:

...

...
...
base64.decodestring(s) '\x04\x08{\t:\nlogin"\ttest:\x0bpasswd"%KBTSg2mvj6i3mWHR535frfrKgacEAPoa:\x10_csrf_token"1U08qqWTbXYshm1Yk61nDsvyEekaKJ4R+WYMZHDZtyFY="\nflashIC:\'ActionController::Flash::FlashHash{\x00\x06:\n@used{\x00'

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:39

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c5 --- Comment #5 from Adrian Schröter 2010-10-19 10:39:34 UTC --- If you have access to the database, you have also plenty other security problems, including a way to sniff the password at any other layer. I don't mind to store it with debase64, but that is not really giving more security. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:14

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

...

If you have access to the database, you have also plenty other security problems, including a way to sniff the password at any other layer.

I don't mind to store it with debase64, but that is not really giving more security. I really hope that you change your mind. Storing user passwords without hashing

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c6 --- Comment #6 from Justus Winter 2010-10-19 11:14:31 UTC --- (In reply to comment #5) them is reckless and unnecessary. Looking at src/webui/app/controllers/user_controller.rb/change_password() reveals one reason why the password is stored in the session: def change_password # check the valid of the params if not params[:current_password] == session[:passwd] errmsg = "The value of current password does not match your current password. Please enter the password and try again." end But that's not the right way to do this. What you want to do instead is to take the old password supplied by the user and hash it (salting it first with the value stored in the users table) and compare the resulting hash with the one stored in the database. Most users will reuse a password on multiple sites. By storing the unencrypted password you expose your users to an unnecessary risk. Sadly gaining access to the database is far from impossible with most web applications, and while OBS uses rails which I suspect has an orm, you can still use it the wrong way. And please don't take this personally, but looking at the code in question and considering the fact that we're having this discussion I am not sure that the code was developed with enough care with respect to security aspects. If you don't believe me, please look at the way other high profile web applications are handling user authentication. With this bug in place, I consider the OBS not fit for production since it exposes it's users to an unacceptable risk. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:28

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c7 --- Comment #7 from Adrian Schröter 2010-10-19 11:28:41 UTC --- I don't mind to hash it (it should be actually already md5, which is of course not secure, by default). Btw, this is a non issue for api.opensuse.org, because the api does not see the password at all. People who use the same account on many instances have in any case anyway security problems so that is not arguemtn to me. OBS in default setup (like shipped on the appliance) is indeed not ready for production for several reasons and we warn about that. Yes, I wanted to have spent time on that since quite some time, but other stuff was alsways more urgent. change_password() must get fixed indeed. It was never used so far on any of our productive instances. But I suppose the LDAP code contributors may use it meanwhile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:30

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c8 --- Comment #8 from Adrian Schröter 2010-10-19 11:30:37 UTC --- we accept of course patches ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:19

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c9 --- Comment #9 from Thomas Biege 2010-10-19 13:19:32 UTC --- I see no high risk (CVSSv2 base score = 1.7 DREAD = 4.6) for storing the user passwords in clear text. But it should not be in the Cookie. The Cookie is only base64 encoded and transferred over the network. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:18

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

...

I don't mind to hash it (it should be actually already md5, which is of course not secure, by default). It is salted and hashed before being stored by the api backend in the users

...

Btw, this is a non issue for api.opensuse.org, because the api does not see the password at all. It is a non issue for the api backend because the api backend handles the users

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c10 --- Comment #10 from Justus Winter 2010-10-19 14:18:21 UTC --- (In reply to comment #7) table. But it is *not* hashed in the session table. password correctly in src/api/app/person_controller.rb. It is however an issue for the webui. And I think build.opensuse.org is affected as well despite the fact that the authentication uses novells authentication solution. Which makes it even worse now that I think about it.

...

People who use the same account on many instances have in any case anyway security problems so that is not arguemtn to me. No, you are wrong on this one. You yourself are using the same password for the whole opensuse/novell infrastructure.

...

OBS in default setup (like shipped on the appliance) is indeed not ready for production for several reasons and we warn about that. Yes, I wanted to have spent time on that since quite some time, but other stuff was alsways more urgent.

change_password() must get fixed indeed. It was never used so far on any of our productive instances. But I suppose the LDAP code contributors may use it meanwhile. change_password() in itself isn't the problem. Storing the users password in the session is.

...

we accept of course patches ;) I started working on one but since I am not familiar with rails and have never written a single line of ruby I failed and decided to report this bug without a

(In reply to comment #8) patch instead. (In reply to comment #9)

...

I see no high risk (CVSSv2 base score = 1.7 DREAD = 4.6) for storing the user passwords in clear text. I think that's a rather reckless attitude for someone being in the novell security team. Especially since this bug jeopardizes the whole opensuse/novell infrastructure.

...

But it should not be in the Cookie. The Cookie is only base64 encoded and transferred over the network. It is not stored in the cookie but in the session dictionary which is backed up by a database.

I am kind of speechless that we're even having this discussion. There's this very simple rule, you don't store users passwords without salting and hashing them. Ever. In fact it would be nice to overwrite the plain text password as soon as you're done hashing it (which is kind of hard to do in languages where strings are immutable). But writing them to a non volatile memory is a big no-no... And a quick grep revealed this in src/api/app/controllers/statistics_controller.rb: # create new entry - we do this directly per sql statement, because # that's much faster than through ActiveRecord objects DownloadStat.connection.insert "\ INSERT INTO download_stats ( \ `db_project_id`, `db_package_id`, `repository_id`, `architecture_id`,\ `filename`, `filetype`, `version`, `release`,\ `counted_at`, `created_at`, `count`\ ) VALUES(\ '#{@@project_id}', '#{@@package_id}', '#{@@repo_id}', '#{@@arch_id}',\ '#{@@count[:filename]}', '#{@@count[:filetype]}',\ '#{@@count[:version]}', '#{@@count[:release]}',\ '#{@@count[:counted_at]}', '#{@@count[:created_at]}',\ '#{text}'\ )", "Creating DownloadStat entry: " See, people are bypassing the orm for various reasons, like for performance. I am not familiar with ruby so I could be mistaken but this kind of looks like variable expansion inside the string without any kind of escaping. I am not sure if this example is exploitable at all, and even if it is, it cannot be used to access the webuis session table, but this is exactly the kind of mistake that can be exploited to extract information from a database. And if this database contains unhashed passwords that's a big disaster. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:11

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c11 --- Comment #11 from Adrian Schröter 2010-10-19 15:11:36 UTC ---

...

...
People who use the same account on many instances have in any case anyway security problems so that is not arguemtn to me. No, you are wrong on this one. You yourself are using the same password for the whole opensuse/novell infrastructure.

the whole opensuse/novell infrastructure is using iChain, which is a proxy in front of all servers. It does the authentification and all servers behind are trust in it, but they don't see the password at all. That is also the reason why we did not spend much effort yet on the other authentification handling mechanisms. LDAP was developed by Intel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Apr 11 Apr

11:09

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c12 --- Comment #12 from Sascha Peilicke 2011-04-11 11:09:52 UTC --- Passwords are stripped from exception messages (sent by mail) now. This was also backported to the 2.1 branch and may appear as part of a 2.1.9 release. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:22

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c13 --- Comment #13 from Adrian Schröter 2011-04-11 11:22:25 UTC --- In 2.1.8 ;) Regarding the passwords in database issue, we may release a new secure proxy solution soon. That will handle the login mechanisms and OBS api & webui do not get the password anymore. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

6 Nov 6 Nov

07:58

New subject: [Bug 645835] obs stores the users password in the session leaking it to the database and sending it via mail

https://bugzilla.novell.com/show_bug.cgi?id=645835 https://bugzilla.novell.com/show_bug.cgi?id=645835#c14 Adrian Schröter changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|winter@pre-sense.de | Resolution| |FIXED --- Comment #14 from Adrian Schröter 2012-11-06 07:58:22 UTC --- This is done -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

4196

Age (days ago)

4952

Last active (days ago)

List overview

Download

16 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 645835] New: obs stores the users password in the session leaking it to the database and sending it via mail

tags

participants (1)