Todo #8394: status.php - Some package password fields are not redacted - pfSense - pfSense bugtracker

Actions

Copy link

Todo #8394

closed

status.php - Some package password fields are not redacted

Added by Andy Kniveton over 6 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

Very Low

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.4.3-p1

Start date:

03/29/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

Raised an issue with support to do with 2.4.3 and an issue at boot time https://redmine.pfsense.org/issues/8393

Was told the following "Passwords and private keys are redacted. As such, we won't be able to see confidential information in regards to other methods of accessing the firewall."

I've changed a password I commonly used with PASSWORD-WAS-HERE in the following output, I think some more info could do with being redacted.

mac-pro:status_output andyk$ grep PASSWORD-WAS-HERE *
IPsec-strongSwan Configuration.txt: secret = "PASSWORD-WAS-HERE
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varclientsharedsecret>PASSWORD-WAS-HERE</varclientsharedsecret>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <varuserspassword>PASSWORD-WAS-HERE</varuserspassword>
config-sanitized.xml: <redis_password>PASSWORD-WAS-HERE</redis_password>
config-sanitized.xml: <redis_passwordagain>PASSWORD-WAS-HERE</redis_passwordagain>
mac-pro:status_output andyk$

eap-radius password, freeradius client & user passwords are still clear text.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Todo #8394

status.php - Some package password fields are not redacted

Updated by Jim Pingle over 6 years ago

Updated by Jim Pingle over 6 years ago

Updated by Jim Pingle over 6 years ago

Updated by Anonymous over 6 years ago

Updated by Jim Pingle over 6 years ago