Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

password disclosure in initial setup #823

Closed
northalpha opened this issue Mar 7, 2018 · 6 comments
Closed

password disclosure in initial setup #823

northalpha opened this issue Mar 7, 2018 · 6 comments

Comments

@northalpha
Copy link

northalpha commented Mar 7, 2018

Steps to reproduce

  1. Install mail app
  2. configure Mail app, but make a fault (e.g. wrong IMAP Server Port) so that the setup is not completed
  3. look at nextcloud.log and see: password in PLAINTEXT

Expected behaviour

Do not log in any circumstances (at least not in Log-Level 2/3) ANY passwords to disk / log file. Although the attack surface might be small (need to have access to logfile local on the NC instance), dumping passwords into logfiles that may be written somewhere else (e.g. rsyslog) is no good.

Actual behaviour

PLAINTEXT password written to logfile

Mail app

Mail app version: 0.7.10

Mailserver or service: dovecot/postfix
Number of accounts: -

Server configuration detail

Operating system: Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64

Webserver: nginx/1.10.3 (fpm-fcgi)

Database: pgsql PostgreSQL 9.5.12 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609, 64-bit

PHP version: 7.0.25-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, cgi-fcgi, PDO, xml, apcu, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, igbinary, imagick, imap, intl, json, ldap, exif, mcrypt, pdo_pgsql, pgsql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 13.0.0 - 13.0.0.14

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: release zip

Signing status

Array

List of activated apps
Enabled:
 - activity: 2.6.1
 - calendar: 1.6.1
 - comments: 1.3.0
 - dav: 1.4.6
 - federatedfilesharing: 1.3.1
 - federation: 1.3.0
 - files: 1.8.0
 - files_pdfviewer: 1.2.0
 - files_sharing: 1.5.0
 - files_texteditor: 2.5.1
 - files_trashbin: 1.3.0
 - files_versions: 1.6.0
 - files_videoplayer: 1.2.0
 - firstrunwizard: 2.2.1
 - gallery: 18.0.0
 - issuetemplate: 0.3.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - mail: 0.7.10
 - nextcloud_announcements: 1.2.0
 - notifications: 2.1.2
 - oauth2: 1.1.0
 - password_policy: 1.3.0
 - provisioning_api: 1.3.0
 - serverinfo: 1.3.0
 - sharebymail: 1.3.0
 - spreed: 3.1.0
 - spreedme: 0.3.11
 - systemtags: 1.3.0
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - updatenotification: 1.3.0
 - user_ldap: 1.3.1
 - workflowengine: 1.3.0
Disabled:
 - admin_audit
 - encryption
 - files_external
 - survey_client
 - user_external

Configuration (config/config.php)
{
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": {
        "0": "***REMOVED SENSITIVE VALUE***",
        "1": "***REMOVED SENSITIVE VALUE***",
        "3": "***REMOVED SENSITIVE VALUE***",
        "4": "***REMOVED SENSITIVE VALUE***"
    },
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "pgsql",
    "version": "13.0.0.14",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": "6379"
    },
    "memcache.local": "\\OC\\Memcache\\APCu",
    "open_basedir": "\/dev\/urandom",
    "mysql.utf8mb4": "true",
    "updater.release.channel": "production",
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
    "has_internet_connection": false,
    "maintenance": false,
    "mail_smtpmode": "smtp",
    "mail_smtpauthtype": "PLAIN",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "587",
    "mail_smtpsecure": "tls",
    "mail_smtpauth": 1,
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
}
Nextcloud log
{"reqId":"DaWS3I6rvIcYk5MwzKXz","level":3,"time":"2018-03-07T15:06:19+00:00","remoteAddr":"1.2.3.4","user":"***REMOVED SENSITIVE VALUE***","app":"mail","method":"POST","url":"\/apps\/mail\/api\/accounts","message":"Exception: {\"Exception\":\"OCA\\\\Mail\\\\Exception\\\\ClientException\",\"Message\":\"Kontoerstellung fehlgeschlagen:Error connecting to mail server.\",\"Code\":0,\"Trace\":\"#0 [internal function]: OCA\\\\Mail\\\\Controller\\\\AccountsController->create('', 'bernd.brot...', '', 'mail.server.tld...', 993, 'ssl', 'bernd.brot...', 'geheim', 'mail.server.tld...', 587, 'tls', 'bernd.brot...', 'geheim', false)\\n#1 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(161): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(91): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\Mail\\\\Controller\\\\AccountsController), 'create')\\n#3 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(115): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Mail\\\\Controller\\\\AccountsController), 'create')\\n#4 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main('OCA\\\\\\\\Mail\\\\\\\\Contro...', 'create', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\n#5 [internal function]: OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#6 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/Route\\\/Router.php(297): call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler), Array)\\n#7 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/base.php(998): OC\\\\Route\\\\Router->match('\\\/apps\\\/mail\\\/api\\\/...')\\n#8 \\\/var\\\/www\\\/nextcloud\\\/index.php(37): OC::handleRequest()\\n#9 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/apps\\\/mail\\\/lib\\\/Controller\\\/AccountsController.php\",\"Line\":225}","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko\/20100101 Firefox\/58.0","version":"13.0.0.14"}

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@ChristophWurst
Copy link
Member

Hi!

Thank you for your report. It looks like your report is missing some important sections of your issue template. Please complete it so that we get a better understanding of your setup and the problem to be able to fix the issue. It would be great to see what was logged. You should of course replace your real password with a random one 😉

Thank you.

@northalpha
Copy link
Author

The missing log entry was hidden inside the Configuration array, sorry for that. I fixed the initial post.

@ChristophWurst
Copy link
Member

Slightly more readable version of the log entry:

  \"Exception\": \"OCA\\\\Mail\\\\Exception\\\\ClientException\",
  \"Message\": \"Kontoerstellung fehlgeschlagen: Error connecting to mail server.\",
  \"Code\": 0,
  \"Trace\": \"#0 [
    internal function
  ]:  OCA\\\\Mail\\\\Controller\\\\AccountsController->create('',
   'bernd.brot...',
   '',
   'mail.server.tld...',
   993,
   'ssl',
   'bernd.brot...',
   'geheim',
   'mail.server.tld...',
   587,
   'tls',
   'bernd.brot...',
   'geheim',
   false)\\n#1 \/var\/www\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(161):  call_user_func_array(Array,
   Array)\\n#2 \/var\/www\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(91):  OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\Mail\\\\Controller\\\\AccountsController),
   'create')\\n#3 \/var\/www\/nextcloud\/lib\/private\/AppFramework\/App.php(115):  OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Mail\\\\Controller\\\\AccountsController),
   'create')\\n#4 \/var\/www\/nextcloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php(47):  OC\\\\AppFramework\\\\App: : main('OCA\\\\\\\\Mail\\\\\\\\Contro...',
   'create',
   Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer),
   Array)\\n#5 [
    internal function
  ]:  OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#6 \/var\/www\/nextcloud\/lib\/private\/Route\/Router.php(297):  call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler),
   Array)\\n#7 \/var\/www\/nextcloud\/lib\/base.php(998):  OC\\\\Route\\\\Router->match('\/apps\/mail\/api\/...')\\n#8 \/var\/www\/nextcloud\/index.php(37):  OC: : handleRequest()\\n#9 {
    main
  }\",
  \"File\": \"\/var\/www\/nextcloud\/apps\/mail\/lib\/Controller\/AccountsController.php\",
  \"Line\": 225
}"

@ChristophWurst
Copy link
Member

This can be fixed with #1093 (comment)

@eibhear-from-athlone
Copy link

Hi,

This is a significant security bug, and is still present in nextcloud 23/mail 1.12.0, 4 years after having been raised.

Is there a plan to fix this in nextcloud? and if not will it be fixed in mail?

Thanks.

Éibhear

@miaulalala
Copy link
Contributor

This is fixed on the most recent NC master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

No branches or pull requests

4 participants