Todo #8394
closed
status.php - Some package password fields are not redacted
100%
Description
Raised an issue with support to do with 2.4.3 and an issue at boot time https://redmine.pfsense.org/issues/8393
Was told the following "Passwords and private keys are redacted. As such, we won't be able to see confidential information in regards to other methods of accessing the firewall."
I've changed a password I commonly used with PASSWORD-WAS-HERE in the following output, I think some more info could do with being redacted.
mac-pro:status_output andyk$ grep PASSWORD-WAS-HERE *
IPsec-strongSwan Configuration.txt: secret = "PASSWORD-WAS-HERE
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <redis_password>PASSWORD-WAS-HERE</redis_password>
config-sanitized.xml: <redis_passwordagain>PASSWORD-WAS-HERE</redis_passwordagain>
mac-pro:status_output andyk$
eap-radius password, freeradius client & user passwords are still clear text.
Updated by Jim Pingle over 6 years ago
- Project changed from pfSense Packages to pfSense
- Subject changed from [your_firewall_IP]/status.php & status_output.tgz to status.php - Some package password fields are not redacted
- Category set to Web Interface
- Priority changed from Normal to Very Low
- Target version set to 2.4.4
I can add them to the redacted field list.
That said, these are from packages and the base system status.php can't always keep up with or know about changes from packages.
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.4 to 2.4.3-p1
Updated by Jim Pingle over 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 21fdf72c0b3caf960512373ad903fe03ccc578ff.
Updated by Anonymous over 6 years ago
Tested in 2.4.4.a.20180504.1639 .. cannot reproduce, sensitive information is replaced with xxxxx