Project

General

Profile

Actions

Todo #8394

closed

status.php - Some package password fields are not redacted

Added by Andy Kniveton over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Web Interface
Target version:
Start date:
03/29/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Raised an issue with support to do with 2.4.3 and an issue at boot time https://redmine.pfsense.org/issues/8393

Was told the following "Passwords and private keys are redacted. As such, we won't be able to see confidential information in regards to other methods of accessing the firewall."

I've changed a password I commonly used with PASSWORD-WAS-HERE in the following output, I think some more info could do with being redacted.

mac-pro:status_output andyk$ grep PASSWORD-WAS-HERE *
IPsec-strongSwan Configuration.txt: secret = "PASSWORD-WAS-HERE
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <redis_password>PASSWORD-WAS-HERE</redis_password>
config-sanitized.xml: <redis_passwordagain>PASSWORD-WAS-HERE</redis_passwordagain>
mac-pro:status_output andyk$

eap-radius password, freeradius client & user passwords are still clear text.

Actions #1

Updated by Jim Pingle over 6 years ago

  • Project changed from pfSense Packages to pfSense
  • Subject changed from [your_firewall_IP]/status.php & status_output.tgz to status.php - Some package password fields are not redacted
  • Category set to Web Interface
  • Priority changed from Normal to Very Low
  • Target version set to 2.4.4

I can add them to the redacted field list.

That said, these are from packages and the base system status.php can't always keep up with or know about changes from packages.

Actions #2

Updated by Jim Pingle over 6 years ago

  • Target version changed from 2.4.4 to 2.4.3-p1
Actions #3

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Anonymous over 6 years ago

Tested in 2.4.4.a.20180504.1639 .. cannot reproduce, sensitive information is replaced with xxxxx

Actions #5

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF