Todo #8394: status.php - Some package password fields are not redacted - pfSense - pfSense bugtracker

Actions

Copy link

Todo #8394

closed

status.php - Some package password fields are not redacted

Added by Andy Kniveton about 6 years ago. Updated almost 6 years ago.

Status:

Resolved

Priority:

Very Low

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.4.3-p1

Start date:

03/29/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

Raised an issue with support to do with 2.4.3 and an issue at boot time https://redmine.pfsense.org/issues/8393

Was told the following "Passwords and private keys are redacted. As such, we won't be able to see confidential information in regards to other methods of accessing the firewall."

I've changed a password I commonly used with PASSWORD-WAS-HERE in the following output, I think some more info could do with being redacted.

mac-pro:status_output andyk$ grep PASSWORD-WAS-HERE *
IPsec-strongSwan Configuration.txt: secret = "PASSWORD-WAS-HERE
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <redis_password>PASSWORD-WAS-HERE</redis_password>
config-sanitized.xml: <redis_passwordagain>PASSWORD-WAS-HERE</redis_passwordagain>
mac-pro:status_output andyk$

eap-radius password, freeradius client & user passwords are still clear text.

Actions

Copy link

Updated by Jim Pingle about 6 years ago

Project changed from pfSense Packages to pfSense
Subject changed from [your_firewall_IP]/status.php & status_output.tgz to status.php - Some package password fields are not redacted
Category set to Web Interface
Priority changed from Normal to Very Low
Target version set to 2.4.4