Project

General

Profile

Todo #8394

status.php - Some package password fields are not redacted

Added by Andy Kniveton about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Web Interface
Target version:
Start date:
03/29/2018
Due date:
% Done:

100%

Estimated time:

Description

Raised an issue with support to do with 2.4.3 and an issue at boot time https://redmine.pfsense.org/issues/8393

Was told the following "Passwords and private keys are redacted. As such, we won't be able to see confidential information in regards to other methods of accessing the firewall."

I've changed a password I commonly used with PASSWORD-WAS-HERE in the following output, I think some more info could do with being redacted.

mac-pro:status_output andyk$ grep PASSWORD-WAS-HERE *
IPsec-strongSwan Configuration.txt: secret = "PASSWORD-WAS-HERE
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <redis_password>PASSWORD-WAS-HERE</redis_password>
config-sanitized.xml: <redis_passwordagain>PASSWORD-WAS-HERE</redis_passwordagain>
mac-pro:status_output andyk$

eap-radius password, freeradius client & user passwords are still clear text.

Associated revisions

Revision 21fdf72c (diff)
Added by Jim Pingle about 1 year ago

Redact some more info from the status.php output. Fixes #8394

Revision 34935fb8 (diff)
Added by Jim Pingle about 1 year ago

Redact some more info from the status.php output. Fixes #8394

(cherry picked from commit 21fdf72c0b3caf960512373ad903fe03ccc578ff)

Revision a08b017c (diff)
Added by Jim Pingle about 1 year ago

Redact some more info from the status.php output. Fixes #8394

(cherry picked from commit 21fdf72c0b3caf960512373ad903fe03ccc578ff)

History

#1 Updated by Jim Pingle about 1 year ago

  • Project changed from pfSense Packages to pfSense
  • Subject changed from [your_firewall_IP]/status.php & status_output.tgz to status.php - Some package password fields are not redacted
  • Category set to Web Interface
  • Priority changed from Normal to Very Low
  • Target version set to 2.4.4

I can add them to the redacted field list.

That said, these are from packages and the base system status.php can't always keep up with or know about changes from packages.

#2 Updated by Jim Pingle about 1 year ago

  • Target version changed from 2.4.4 to 2.4.3-p1

#3 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by James Dekker about 1 year ago

Tested in 2.4.4.a.20180504.1639 .. cannot reproduce, sensitive information is replaced with xxxxx

#5 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF