User passwords are shown in the log file #24328

Closed
ckruetze opened this Issue Apr 28, 2016 · 1 comment

Projects

None yet

4 participants

@ckruetze

Steps to reproduce

  1. Use owncloud together with a Samba server for LDAP authentication
  2. update your Samba server or misconfigure it so that authentication fails

Expected behaviour

The user passwords should never be shown to the admins and they should not be saved in any log files.

Actual behaviour

The user passwords is in clear text visible in the admin interface.
If the Samba admin makes a mistake or even a planed update during the update there might be a short period where the login won't work.
If users try to access the cloud during that time login won't work which is expected, however, ownCloud saves the failed log in attempts in the log file including the username and password. I have replaced the actual password with "!PASSWORD!" in the log below.

For us this is a major security concern and all effected users had to immediately change passwords.

The solution would be to not log the users password.

Server configuration

Operating system:
Ubuntu

Web server:
Apache2

Database:
MySQL

PHP version:
PHP 7.0.5-3+donate.sury.org~trusty+1

ownCloud version: (see ownCloud admin page)
ownCloud 9.0.1 (stable)

Updated from an older ownCloud or fresh install:
updated

Where did you install ownCloud from:

Signing status (ownCloud 9.0 and above):

No errors have been found.

List of activated apps:

Enabled:
  - activity: 2.2.1
  - comments: 0.2
  - dav: 0.1.6
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_pdfviewer: 0.8
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
  - user_ldap: 0.8.0
Disabled:
  - encryption
  - external
  - files_external
  - galleryplus
  - search_lucene
  - user_external

The content of config/config.php:

{
    "system": {
        "instanceid": "ochkgc8ykk8s",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.balticfinance.com"
        ],
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/cloud.balticfinance.com\/owncloud",
        "dbtype": "mysql",
        "version": "9.0.1.3",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "ldapIgnoreNamingRules": false,
        "forcessl": true,
        "forceSSLforSubdomains": true,
        "theme": "",
        "maintenance": false,
        "appstore.experimental.enabled": true,
        "loglevel": 3,
        "trashbin_retention_obligation": "auto",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "updatechecker": false
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

+-------------------------------+---------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                               |
+-------------------------------+---------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                                                                             |
| hasPagedResultSupport         |                                                                                                               |
| homeFolderNamingRule          |                                                                                                               |
| lastJpegPhotoLookup           | 0                                                                                                             |
| ldapAgentName                 | ***REMOVED SENSITIVE VALUE***                                                                                 |
| ldapAgentPassword             | ***REMOVED SENSITIVE VALUE***                                                                                 |
| ldapAttributesForGroupSearch  | samaccountname                                                                                                |
| ldapAttributesForUserSearch   |                                                                                                               |
| ldapBackupHost                |                                                                                                               |
| ldapBackupPort                | 389                                                                                                           |
| ldapBase                      | cn=Users,dc=balticfinance,dc=com                                                                              |
| ldapBaseGroups                | ou=Users,dc=balticfinance,dc=com                                                                              |
| ldapBaseUsers                 | dc=balticfinance,dc=com                                                                                       |
| ldapCacheTTL                  | 600                                                                                                           |
| ldapConfigurationActive       | 1                                                                                                             |
| ldapDynamicGroupMemberURL     |                                                                                                               |
| ldapEmailAttribute            | mail                                                                                                          |
| ldapExperiencedAdmin          | 1                                                                                                             |
| ldapExpertUUIDGroupAttr       |                                                                                                               |
| ldapExpertUUIDUserAttr        |                                                                                                               |
| ldapExpertUsernameAttr        | sAMAccountName                                                                                                |
| ldapGroupDisplayName          | cn                                                                                                            |
| ldapGroupFilter               | (&(|(objectclass=group)(objectclass=top)))                                                                    |
| ldapGroupFilterGroups         |                                                                                                               |
| ldapGroupFilterMode           | 1                                                                                                             |
| ldapGroupFilterObjectclass    | group                                                                                                         |
| ldapGroupMemberAssocAttr      | member                                                                                                        |
| ldapHost                      | ***REMOVED SENSITIVE VALUE***                                                                                 |
| ldapIgnoreNamingRules         |                                                                                                               |
| ldapLoginFilter               | (&(objectclass=user)(samaccountname=%uid)(memberOf=cn=xxxxxxxxxx,ou=serviceaccounts,dc=balticfinance,dc=com)) |
| ldapLoginFilterAttributes     |                                                                                                               |
| ldapLoginFilterEmail          | 0                                                                                                             |
| ldapLoginFilterMode           | 1                                                                                                             |
| ldapLoginFilterUsername       | 1                                                                                                             |
| ldapNestedGroups              | 0                                                                                                             |
| ldapOverrideMainServer        | 0                                                                                                             |
| ldapPagingSize                | 500                                                                                                           |
| ldapPort                      | 389                                                                                                           |
| ldapQuotaAttribute            |                                                                                                               |
| ldapQuotaDefault              |                                                                                                               |
| ldapTLS                       | 0                                                                                                             |
| ldapUserDisplayName           | displayname                                                                                                   |
| ldapUserDisplayName2          |                                                                                                               |
| ldapUserFilter                | (&(objectClass=user)(memberOf=cn=xxxxxxxxxx,ou=serviceaccounts,dc=balticfinance,dc=com))                      |
| ldapUserFilterGroups          |                                                                                                               |
| ldapUserFilterMode            | 1                                                                                                             |
| ldapUserFilterObjectclass     | user                                                                                                          |
| ldapUuidGroupAttribute        | auto                                                                                                          |
| ldapUuidUserAttribute         | auto                                                                                                          |
| turnOffCertCheck              | 0                                                                                                             |
| useMemberOfToDetectMembership | 1                                                                                                             |
+-------------------------------+---------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:
Firefox but also various others
Operating system:
Ubuntu

ownCloud log (data/owncloud.log)

{"reqId":"0T8xif66xDPdDXcOfP0s","remoteAddr":"10.49.1.118","app":"user_ldap","message":"No LDAP Connection to server ***REMOVED SENSITIVE VALUE***","level":3,"time":"2016-04-26T18:08:17+00:00","method":"PROPFIND","url":"\/remote.php\/webdav\/","user":"--"}
{"reqId":"0T8xif66xDPdDXcOfP0s","remoteAddr":"10.49.1.118","app":"user_ldap","message":"Exception: {\"Exception\":\"OC\\\\ServerNotAvailableException\",\"Message\":\"Connection to LDAP server could not be established\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/access.php(845): OCA\\\\user_ldap\\\\lib\\\\Connection->getConnectionResource()\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/access.php(1011): OCA\\\\user_ldap\\\\lib\\\\Access->executeSearch('(&(objectclass=...', Array, Array, NULL, NULL)\\n#2 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/access.php(781): OCA\\\\user_ldap\\\\lib\\\\Access->search('(&(objectclass=...', Array, Array, NULL, NULL)\\n#3 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/access.php(704): OCA\\\\user_ldap\\\\lib\\\\Access->searchUsers('(&(objectclass=...', Array, NULL, NULL)\\n#4 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/access.php(678): OCA\\\\user_ldap\\\\lib\\\\Access->fetchListOfUsers('(&(objectclass=...', Array)\\n#5 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/user_ldap.php(103): OCA\\\\user_ldap\\\\lib\\\\Access->fetchUsersByLoginName('christian', Array, 1)\\n#6 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/user_ldap.php(120): OCA\\\\user_ldap\\\\USER_LDAP->getLDAPUserByLoginName('christian')\\n#7 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/user\\\/manager.php(183): OCA\\\\user_ldap\\\\USER_LDAP->checkPassword(*** username and password replaced ***)\\n#8 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/user\\\/session.php(219): OC\\\\User\\\\Manager->checkPassword(*** username and password replaced ***)\\n#9 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/lib\\\/connector\\\/sabre\\\/auth.php(106): OC\\\\User\\\\Session->login(*** username and password replaced ***)\\n#10 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Backend\\\/AbstractBasic.php(105): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->validateUserPass('christian', '!PASSWORD!')\\n#11 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/lib\\\/connector\\\/sabre\\\/auth.php(220): Sabre\\\\DAV\\\\Auth\\\\Backend\\\\AbstractBasic->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#12 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/lib\\\/connector\\\/sabre\\\/auth.php(127): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->auth(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#13 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(163): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#14 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#15 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#16 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(446): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#17 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(248): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#18 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(55): Sabre\\\\DAV\\\\Server->exec()\\n#19 \\\/var\\\/www\\\/owncloud\\\/remote.php(138): require_once('\\\/var\\\/www\\\/ownclo...')\\n#20 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/connection.php\",\"Line\":175}","level":3,"time":"2016-04-26T18:08:17+00:00","method":"PROPFIND","url":"\/remote.php\/webdav\/","user":"--"}

@ghost
ghost commented Apr 28, 2016

Always a problem if a blacklist approach is taken: #16318, #19346

cc @LukasReschke

@PVince81 PVince81 added the bug label Apr 28, 2016
@PVince81 PVince81 added this to the 9.1-current milestone Apr 28, 2016
@nickvergessen nickvergessen self-assigned this Apr 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment