Using encryption logs user password in clear-text

[Fiech]

Problem description

While logging issue #6541, I noticed that in my NC log, the user password and token of the affected user were logged in clear-text, although other sensitive information was obfuscated:

excerpt from log file

OC\ForbiddenException: This request is not allowed to access the filesystem
/owncloud/htdocs/lib/private/Files/View.php - line 1136: OC\Lockdown\Filesystem\NullStorage->mkdir('files_encryptio...')
/owncloud/htdocs/lib/private/Files/View.php - line 269: OC\Files\View->basicOperation('mkdir', '/<USERNAME>/files_e...', Array)
/owncloud/htdocs/lib/private/Encryption/Keys/Storage.php - line 370: OC\Files\View->mkdir('/<USERNAME>/files_e...')
/owncloud/htdocs/lib/private/Encryption/Keys/Storage.php - line 230: OC\Encryption\Keys\Storage->keySetPreparation('/<USERNAME>/files_e...')
/owncloud/htdocs/lib/private/Encryption/Keys/Storage.php - line 115: OC\Encryption\Keys\Storage->setKey('/<USERNAME>/files_e...', '-----BEGIN PUBL...')
/owncloud/htdocs/apps/encryption/lib/KeyManager.php - line 287: OC\Encryption\Keys\Storage->setUserKey('<USERNAME>', 'publicKey', '-----BEGIN PUBL...', 'OC_DEFAULT_MODU...')
/owncloud/htdocs/apps/encryption/lib/KeyManager.php - line 246: OCA\Encryption\KeyManager->setPublicKey('<USERNAME>', '-----BEGIN PUBL...')
/owncloud/htdocs/apps/encryption/lib/Users/Setup.php - line 77: OCA\Encryption\KeyManager->storeKeyPair('<USERNAME>', '<CLEARTEXT PASSWORD>', Array)
/owncloud/htdocs/apps/encryption/lib/Hooks/UserHooks.php - line 183: OCA\Encryption\Users\Setup->setupUser('<USERNAME>', '<CLEARTEXT PASSWORD>')
/owncloud/htdocs/lib/private/legacy/hook.php - line 106: OCA\Encryption\Hooks\UserHooks->login(*** sensitive parameters replaced ***)
/owncloud/htdocs/lib/private/Server.php - line 363: OC_Hook emit('OC_User', 'post_login', Array)
[internal function] OC\Server->OC\{closure}(Object(OC\User\User), '<CLEARTEXT PASSWORD>')
/owncloud/htdocs/lib/private/Hooks/EmitterTrait.php - line 99: call_user_func_array(Object(Closure), Array)
/owncloud/htdocs/lib/private/Hooks/PublicEmitter.php - line 33: OC\Hooks\BasicEmitter->emit('\\OC\\User', 'postLogin', Array)
/owncloud/htdocs/lib/private/User/Session.php - line 359: OC\Hooks\PublicEmitter->emit('\\OC\\User', 'postLogin', Array)
/owncloud/htdocs/lib/private/User/Session.php - line 591: OC\User\Session->completeLogin(*** sensitive parameters replaced ***)
/owncloud/htdocs/lib/private/User/Session.php - line 324: OC\User\Session->loginWithToken('<PARTIAL CLEARTEXT TOKEN>')
/owncloud/htdocs/lib/private/User/Session.php - line 400: OC\User\Session->login(*** sensitive parameters replaced ***)
/owncloud/htdocs/apps/dav/lib/Connector/Sabre/Auth.php - line 129: OC\User\Session->logClientIn(*** sensitive parameters replaced ***)
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php - line 105: OCA\DAV\Connector\Sabre\Auth->validateUserPass(*** sensitive parameters replaced ***)
/owncloud/htdocs/apps/dav/lib/Connector/Sabre/Auth.php - line 252: Sabre\DAV\Auth\Backend\AbstractBasic->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/apps/dav/lib/Connector/Sabre/Auth.php - line 154: OCA\DAV\Connector\Sabre\Auth->auth(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 201: OCA\DAV\Connector\Sabre\Auth->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 150: Sabre\DAV\Auth\Plugin->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
[internal function] Sabre\DAV\Auth\Plugin->beforeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Server.php - line 466: Sabre\Event\EventEmitter->emit('beforeMethod', Array)
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/apps/dav/lib/Server.php - line 258: Sabre\DAV\Server->exec()
/owncloud/htdocs/apps/dav/appinfo/v2/remote.php - line 33: OCA\DAV\Server->exec()
/owncloud/htdocs/remote.php - line 162: require_once('/owncloud/htdoc...')
{main}

I denoted:

• <USERNAME>
• <CLEARTEXT PASSWORD>
• <PARTIAL CLEARTEXT TOKEN>

I was quite surprised to say the least to even find the user's password and (partial) token in cleartext in the logs, because this means, it has to be saved somewhere in a recoverable state.

So I guess this report is to:

1. Propose a change to the logging procedure, removing this imho really sensitive information (password and token) from the logs
2. Ask about the necessity of the clear-text password being saved on the server in a recoverable state. Is there no better way to use tokens to decrypt the private key, other than to make the user password recoverable? (I guess this is the reasoning behind this mechanism)

General server configuration

Operating system: Linux hermes 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64

Web server: nginx/1.12.1 (fpm-fcgi)

Database: pgsql PostgreSQL 9.4.13 on x86_64-unknown-linux-gnu, compiled by gcc (Debian 4.9.2-10) 4.9.2, 64-bit

PHP version: 7.0.23-1~dotdeb+8.1

PHP-modules loaded

 - Core
 - date
 - libxml
 - openssl
 - pcre
 - zlib
 - filter
 - hash
 - Reflection
 - SPL
 - session
 - standard
 - cgi-fcgi
 - igbinary
 - PDO
 - xml
 - calendar
 - ctype
 - curl
 - dom
 - mbstring
 - fileinfo
 - ftp
 - gd
 - gettext
 - iconv
 - imagick
 - imap
 - json
 - exif
 - mcrypt
 - pdo_pgsql
 - pgsql
 - Phar
 - posix
 - readline
 - redis
 - shmop
 - SimpleXML
 - sockets
 - sysvmsg
 - sysvsem
 - sysvshm
 - tokenizer
 - wddx
 - xmlreader
 - xmlwriter
 - xsl
 - zip
 - Zend OPcache

Nextcloud configuration

Nextcloud version: 12.0.3 RC2 - 12.0.3.1

Updated from an older Nextcloud/ownCloud or fresh install: YOUR ANSWER HERE

Where did you install Nextcloud from: YOUR ANSWER HERE

Are you using external storage, if yes which one: Array
(
[0] => \OC\Files\Storage\Local
[1] => \OCA\Files_External\Lib\Storage\FTP
[2] => \OC\Files\Storage\DAV
[3] => \OCA\Files_External\Lib\Storage\OwnCloud
[4] => \OCA\Files_External\Lib\Storage\SFTP
[5] => \OCA\Files_External\Lib\Storage\AmazonS3
[6] => \OCA\Files_External\Lib\Storage\Dropbox
[7] => \OCA\Files_External\Lib\Storage\Google
[8] => \OCA\Files_External\Lib\Storage\Swift
[9] => \OCA\Files_External\Lib\Storage\SFTP
[10] => \OCA\Files_External\Lib\Storage\SMB
[11] => \OCA\Files_External\Lib\Storage\SMB
)

Are you using encryption: yes

Are you using an external user-backend, if yes which one:

Signing status

{
    "calendar": {
        "FILE_MISSING": {
            ".gitignore": {
                "expected": "2ebfa9d965d970eb2f3356f80cbff785c90c9a0d7634b406e49cd4e311826eb4abb482d8be75557cff491837881af2795fc4bd3a8e8d42b24c56d3b53b9b5dee",
                "current": ""
            }
        }
    }
}

This is discussed here nextcloud/calendar#600

Enabled apps

 - activity: 2.5.2
 - admin_audit: 1.2.0
 - admin_notifications: 1.0.0
 - bookmarks: 0.10.1
 - comments: 1.2.0
 - contacts: 1.5.3
 - dav: 1.3.0
 - encryption: 1.6.0
 - federatedfilesharing: 1.2.0
 - federation: 1.2.0
 - files: 1.7.2
 - files_external: 1.3.0
 - files_markdown: 2.0.1
 - files_pdfviewer: 1.1.1
 - files_sharing: 1.4.0
 - files_texteditor: 2.4.1
 - files_trashbin: 1.2.0
 - files_versions: 1.5.0
 - files_videoplayer: 1.1.0
 - firstrunwizard: 2.1
 - gallery: 17.0.0
 - issuetemplate: 0.2.2
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - nextcloud_announcements: 1.1
 - notes: 2.3.1
 - notifications: 2.0.0
 - oauth2: 1.0.5
 - password_policy: 1.2.2
 - provisioning_api: 1.2.0
 - serverinfo: 1.2.0
 - sharebymail: 1.2.0
 - spreed: 2.0.1
 - survey_client: 1.0.0
 - systemtags: 1.2.0
 - tasks: 0.9.5
 - theming: 1.3.0
 - twofactor_backupcodes: 1.1.1
 - twofactor_totp: 1.3.1
 - twofactor_u2f: 1.3.3
 - updatenotification: 1.2.0
 - workflowengine: 1.2.0

Disabled apps

 - audioplayer
 - calendar
 - user_external
 - user_ldap

Content of config/config.php

{
    "instanceid": "oc676d29f5b0",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "***REMOVED SENSITIVE VALUE***"
    ],
    "datadirectory": "\/owncloud\/data",
    "dbtype": "pgsql",
    "version": "12.0.3.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "localhost",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "forcessl": true,
    "theme": "",
    "maintenance": false,
    "secret": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_from_address": "owncloud",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpsecure": "tls",
    "singleuser": false,
    "forceSSLforSubdomains": true,
    "loglevel": 2,
    "filelocking.enabled": "false",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "localhost",
        "port": 6379,
        "timeout": 0,
        "dbindex": 0
    },
    "trashbin_retention_obligation": "auto",
    "updater.release.channel": "beta",
    "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***"
}

Client configuration

Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.113 Chrome/60.0.3112.113 Safari/537.36

Operating system: Ubuntu 16.10

[nickvergessen]

Propose a change to the logging procedure, removing this imho really sensitive information (password and token) from the logs

We are doing this already:

server/lib/private/Log.php

Lines 63 to 99 in b68609d

	protected $methodsWithSensitiveParameters = [
	// Session/User
	'completeLogin',
	'login',
	'checkPassword',
	'checkPasswordNoLogging',
	'loginWithPassword',
	'updatePrivateKeyPassword',
	'validateUserPass',
	// TokenProvider
	'getToken',
	'isTokenPassword',
	'getPassword',
	'decryptPassword',
	'logClientIn',
	'generateToken',
	'validateToken',
	// TwoFactorAuth
	'solveChallenge',
	'verifyChallenge',
	// ICrypto
	'calculateHMAC',
	'encrypt',
	'decrypt',
	// LoginController
	'tryLogin',
	'confirmPassword',
	// LDAP
	'bind',
	'areCredentialsValid',
	'invokeLDAPMethod',
	];

Do you want to send a pull request to extend the list of methods? 😉

As for the recoverable password. There are multiple reasons, one is that we might need it for external storages anyway.

[Fiech]

I can try... Altough I'm at least 2 PR behind in my plan, because last weekend was stupidly full again ;-)

So I most likely won't have time to tend to this until this weekend...

[Fiech]

Hmm... I just got around to test this, but the at least in the 13.0.0a version the problem does not exist (at least without 2FA, but I cannot find the 2FA-app for this version yet).

Has something changed in regards to the loggin procedure, if the app token has no access to the file system?

I can and will however make a "blind" PR, simply adding the affected methods in the log to the array.

//edit: In this context, how does one censor this line:

[internal function] OC\Server->OC\{closure}(Object(OC\User\User), '<CLEARTEXT PASSWORD>')

[nickvergessen]

Try \{closure\}

[Fiech]

I created the PR, I guess we can close this...

[MorrisJobke]

I created the PR, I guess we can close this...

Close it once it is merged ;) Or use Githubs automatic closing feature https://help.github.com/articles/closing-issues-using-keywords/ 😉