New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Freeradius v3.0.15 logs password on PAP failure even with auth_badpass = no #2064

Closed
bldewolf opened this Issue Sep 13, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@bldewolf

bldewolf commented Sep 13, 2017

Issue type

  • Questions about the server or its usage should be posted to the users mailing list.
  • Remote security exploits MUST be sent to security@freeradius.org.
  • Defect - Crash or memory corruption.
  • Defect - Non compliance with a standards document, or incorrect API usage.
  • Defect - Unexpected behaviour (obvious or verified by project member).
  • Feature request.

See here for debugging instructions and how to obtain backtraces.

NOTE: PATCHES GO IN PULL REQUESTS. IF YOU SUBMIT A DIFF HERE, THE DEVELOPMENT TEAM WILL HUNT YOU DOWN AND BEAT YOU OVER THE HEAD WITH YOUR OWN KEYBOARD.

Defect/Feature description

When the PAP module rejects a user for not matching a cleartext password, it generates an error message that contains the bad password. This error string gets used in the authlog, causing the authlog to contain a cleartext user password even if the auth_badpass config variable is set to no.

This behavior was added in 70fd787

How to reproduce issue

Enable authlog and pap, add a user with a cleartext password to the server, send a PAP request with the wrong password at it.

alandekok added a commit that referenced this issue Sep 14, 2017

@arr2036 arr2036 closed this Oct 21, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment