Project

General

Profile

Bug #10794

HAProxy Stats page credentials are not redacted in status.php

Added by Steve Wheeler about 2 months ago. Updated 18 days ago.

Status:
Resolved
Priority:
Normal
Category:
Web Interface
Target version:
Start date:
07/28/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The status_output file generated by status.php does not redact the HAProxy stats page login details:

                    <stats_enabled></stats_enabled>
                    <stats_username>admin</stats_username>
                    <stats_password>topsecret</stats_password>
                    <stats_uri></stats_uri>

They are also not shown by default which makes it hard to find them or spot of a browser has auto-filled it.

Associated revisions

Revision 7f11a9a0 (diff)
Added by Viktor Gurov about 2 months ago

Sanitize HAproxy stats_password. Issue #10794

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review

#3 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#4 Updated by Danilo Zrenjanin 18 days ago

  • Status changed from Feedback to Resolved

Tested on :
2.5.0-DEVELOPMENT (amd64)
built on Thu Sep 03 19:02:32 EDT 2020
FreeBSD 12.2-PRERELEASE

HAProxy Stats page credentials are redacted in status.php

<stats_enabled>yes</stats_enabled>
<stats_username>daniloz</stats_username>
<stats_password>xxxxx</stats_password>

I am resolving the ticket.

Also available in: Atom PDF