After upgrade from 8.2 to 9.1: plain password in owncloud.log #25895

Closed
kostas707 opened this Issue Aug 22, 2016 · 2 comments

Projects

None yet

2 participants

@kostas707
kostas707 commented Aug 22, 2016 edited

OwnCloud version 9.1. When enter login on web page, plain pass is showing in owncloud.log

Steps to reproduce

Open OwnCloud web page, enter login on web page and enter:
user: aaaaa
password: bbbbb

user: aaaaa
password: bbbbb

{"reqId":"tAboChzhlAec4q9vgwvN","remoteAddr":"192.168.100.15","app":"user_ldap","message":"Exception: {"Exception":"Exception","Message":"No user available for the given login name on 10.90.2.23:10389","Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120): OCA \User_LDAP \User_LDAP->getLDAPUserByLoginName('aaaaa') n
#1 [internal function]: OCA \User_LDAP \User_LDAP->checkPassword(*** sensitive parameters replaced *) n
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array) n
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139): OCA \User_LDAP \User_Proxy->walkBackends('aaaaa', 'checkPassword', Array) n
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182): OCA \User_LDAP \Proxy->handleRequest('aaaaa', 'checkPassword', Array) n
#5 /var/www/owncloud/lib/private/User/Manager.php(190): OCA \User_LDAP \User_Proxy->checkPassword(
* sensitive parameters replaced *) n
#6 /var/www/owncloud/core/Controller/LoginController.php(177): OC \User \Manager->checkPassword(
* sensitive parameters replaced ***) n
#7 [internal function]: OC \Core \Controller \LoginController->

tryLogin('aaaaa', 'bbbbb', NULL) n
#8 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array) n
#9 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89): OC \AppFramework \Http \Dispatcher->executeController(Object(OC \Core \Controller \LoginController), 'tryLogin') n
#10 /var/www/owncloud/lib/private/AppFramework/App.php(110): OC \AppFramework \Http \Dispatcher->dispatch(Object(OC \Core \Controller \LoginController), 'tryLogin') n
#11 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC \AppFramework \App::main('LoginController', 'tryLogin', Object(OC \AppFramework \DependencyInjection \DIContainer), Array) n
#12 [internal function]: OC \AppFramework \Routing \RouteActionHandler->__invoke(Array) n
#13 /var/www/owncloud/lib/private/Route/Router.php(280): call_user_func(Object(OC \AppFramework \Routing \RouteActionHandler), Array) n
#14 /var/www/owncloud/lib/base.php(891): OC \Route \Router->match('/login') n
#15 /var/www/owncloud/index.php(39): OC::handleRequest() n
#16 {main}","File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php","Line":104}","level":3,"time":

"2016-08-22T10:53:35+00:00",
"method":"POST",
"url":"/index.php/login?user=aaaaa","user":"--"}
{"reqId":"tAboChzhlAec4q9vgwvN",
"remoteAddr":"192.168.100.15",
"app":"user_ldap",
"message":"Exception: {"Exception":"Exception","Message":
"No user available for the given login name on 192.168.1.14:3268","Code":0,"Trace":"

Expected behaviour

in OwnCloud 8.2 version with same loglevel there was none plain passwords.

Server configuration

Debian 8
Apache/2.4.10 (Debian)
mysql Ver 14.14 Distrib 5.5.44, for debian-linux-gnu (x86_64) using readline 6.3
PHP 5.6.9-0+deb8u1 (cli) (built: Jun 5 2015 11:03:27)
OwnCloud 9.1
version updated:

  1. sudo -u www-data php occ maintenance:mode --on
  2. /etc/init.d/apache2 stop
  3. gunzip owncloud-files_9.1.0.orig.tar.gz | tar xvf -
  4. chown -hR www-data:www-data owncloud/
  5. bkp: config/ and data/ directory.
  6. rm -rf old files and copy new one (except config/config.php)
  7. /etc/init.d/apache2 restart
  8. cd /var/www/owncloud
  9. sudo -u www-data php occ upgrade

Where did you install ownCloud from:
http://download.owncloud.org/download/repositories/9.1.0/Debian_8.0/owncloud-files_9.1.0.orig.tar.gz

Signing status (ownCloud 9.0 and above):

http://example.com/index.php/settings/integrity/failed - paste the results here:
No errors have been found.

**List of activated apps:**

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder

Enabled:
- dav: 0.2.5
- federatedfilesharing: 0.3.0
- files: 1.5.1
- user_ldap: 0.9.0

Disabled:
- activity
- comments
- encryption
- external
- federation
- files_antivirus
- files_external
- files_pdfviewer
- files_sharing
- files_texteditor
- files_trashbin
- files_versions
- files_videoplayer
- firstrunwizard
- gallery
- notifications
- provisioning_api
- systemtags
- templateeditor
- updatenotification
- user_external

**The content of config/config.php:**
# cat config.php

<?php
$CONFIG = array (
  'instanceid' => 'instance_id',
  'passwordsalt' => 'pAsSwOrDsAlT',
  'secret' => 'SeCrEt',
  'trusted_domains' => 
  array (
    0 => 'domain.domain.org',
  ),
  'datadirectory' => '/var/www/owncloud/data',
  'overwrite.cli.url' => 'http://files.files.org/owncloud',
  'dbtype' => 'mysql',
  'version' => '9.1.0.15',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'forcessl' => true,
  'forceSSLforSubdomains' => true,
  'session_lifetime' => 28800,
  'mail_from_address' => 'owncloud',
  'mail_domain' => 'domain.org',
  'mail_smtphost' => 'smtp.smtp.org',
  'mail_smtpport' => '25',
  'ldapIgnoreNamingRules' => false,
  'preview_libreoffice_path' => '/usr/bin/libreoffice',
  'loglevel' => '4',
  'maintenance' => false,
  'dbname' => 'owncloud',
  'dbhost' => '127.0.0.1',
  'dbuser' => 'username',
  'dbpassword' => 'pass',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto',
);

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder
root@sfiles:/var/www/owncloud# sudo -u www-data php occ config:list system
{
"system": {
"instanceid": "instanceid",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"sfiles.sfiles.org"
],
"datadirectory": "/var/www/owncloud/data",
"overwrite.cli.url": "http:/\files.files.org/owncloud",
"dbtype": "mysql",
"version": "9.1.0.15",
"installed": true,
"mail_smtpmode": "smtp",
"forcessl": true,
"forceSSLforSubdomains": true,
"session_lifetime": 28800,
"mail_from_address": "owncloud",
"mail_domain": "files.org",
"mail_smtphost": "smtp.smtp.org",
"mail_smtpport": "25",
"ldapIgnoreNamingRules": false,
"preview_libreoffice_path": "/usr/bin/libreoffice",
"loglevel": "4",
"maintenance": false,
"dbname": "owncloud",
"dbhost": "127.0.0.1",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"theme": "",
"trashbin_retention_obligation": "auto"
}
}
root@files:/var/www/owncloud#
or

Are you using external storage, if yes which one: local/smb/sftp/...
no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
Ldap and Active Directory

@DeepDiver1975 DeepDiver1975 self-assigned this Aug 22, 2016
@DeepDiver1975 DeepDiver1975 added this to the 9.2 milestone Aug 22, 2016
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Aug 22, 2016
@DeepDiver1975 DeepDiver1975 Don't log credentials of LoginController::tryLogin - fixes #25895 08b0b56
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Aug 22, 2016
@DeepDiver1975 DeepDiver1975 Don't log credentials of LoginController::tryLogin - fixes #25895 b29f1c9
@kostas707

hanks, for quick response. I've checked #25902. When login with fake user, no password is showing. But when connect with exist Domain userna me and password is correct, then password is still in log.

{"reqId":"MTRK5tqbshYzakztCAoW","remoteAddr":"192.168.100.15",
"app":"user_ldap",
"message":"Exception: {
"Exception":"Exception",
"Message":"No user available for the given login name on 10.90.2.23:10389",
"Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120):
OCA-User_LDAP-User_LDAP->getLDAPUserByLoginName('domain.username...')
#1 [internal function]: OCA-User_LDAP-User_LDAP->checkPassword(*** sensitive parameters replaced )
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array)
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139):
OCA-User_LDAP-User_Proxy->walkBackends('domain.username...', 'checkPassword', Array)
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182):
OCA-User_LDAP-Proxy->handleRequest('domain.username...', 'checkPassword', Array)
#5 /var/www/owncloud/lib/private/User/Manager.php(190):
OCA-User_LDAP-User_Proxy->checkPassword( sensitive parameters replaced )
#6 /var/www/owncloud/core/Controller/LoginController.php(177):
OC-User-Manager->checkPassword( sensitive parameters replaced )
#7 [internal function]: OC-Core-Controller-LoginController->tryLogin( sensitive parameters replaced ***)
#8 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array)
#9 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89):
OC-AppFramework-Http-Dispatcher->
executeController(Object(OC-Core-Controller-LoginController), 'tryLogin')
#10 /var/www/owncloud/lib/private/AppFramework/App.php(110):
OC-AppFramework-Http-Dispatcher->dispatch(Object(OC-Core-Controller-LoginController), 'tryLogin')
#11 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46):

OC-AppFramework-App::main('LoginController', 'tryLogin',
Object(OC-AppFramework-DependencyInjection-DIContainer), Array)
#12 [internal function]: OC-AppFramework-Routing-RouteActionHandler->__invoke(Array)
#13 /var/www/owncloud/lib/private/Route/Router.php(280):
call_user_func(Object(OC-AppFramework-Routing-RouteActionHandler), Array)
#14 /var/www/owncloud/lib/base.php(891): OC-Route-Router->match('/login')
#15 /var/www/owncloud/index.php(39): OC::handleRequest()
#16 {main}","File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php","Line":104}",
"level":3,
"time":"2016-08-23T06:03:08+00:00",
"method":"POST",
"url":"/index.php/login",
"user":"--"}

{
"reqId":"MTRK5tqbshYzakztCAoW",
"remoteAddr":"192.168.100.15",
"app":"user_ldap",
"message":"Exception:
{"Exception":"Exception",
"Message":"No user available for the given login name on 10.90.2.23:10389",
"Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120):
OCA-User_LDAP-User_LDAP->getLDAPUserByLoginName('domain.username...')
#1 [internal function]: OCA-User_LDAP-User_LDAP->checkPassword(*** sensitive parameters replaced )
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array)
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139):
OCA-User_LDAP-User_Proxy->walkBackends('domain.username...', 'checkPassword', Array)
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182):
OCA-User_LDAP-Proxy->handleRequest('domain.username...', 'checkPassword', Array)
#5 /var/www/owncloud/lib/private/User/Manager.php(190):
OCA-User_LDAP-User_Proxy->checkPassword( sensitive parameters replaced )
#6 /var/www/owncloud/lib/private/User/Session.php(427):
OC-User-Manager->checkPassword( sensitive parameters replaced ***)
#7 /var/www/owncloud/lib/private/User/Session.php(287):
OC-User-Session->loginWithPassword('domain.username...',

---> 'plain_password!!!') ---<

#8 /var/www/owncloud/core/Controller/LoginController.php(196):
OC-User-Session->login(*** sensitive parameters replaced )
#9 [internal function]: OC-Core-Controller-LoginController->tryLogin( sensitive parameters replaced )
#10 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array)
#11 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89):
OC-AppFramework-Http-Dispatcher-> executeController(Object(OC-Core-Controller-LoginController), 'tryLogin')
#12 /var/www/owncloud/lib/private/AppFramework/App.php(110):
OC-AppFramework-Http-Dispatcher->dispatch(Object(OC-Core-Controller-LoginController), 'tryLogin')
#13 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46):

OC-AppFramework-App::main('LoginController', 'tryLogin', Object
(OC-AppFramework-DependencyInjection-DIContainer), Array)
#14 [internal function]: OC-AppFramework-Routing-RouteActionHandler->__invoke(Array)
#15 /var/www/owncloud/lib/private/Route/Router.php(280):
call_user_func(Object(OC-AppFramework-Routing-RouteActionHandler), Array)
#16 /var/www/owncloud/lib/base.php(891): OC-Route-Router->match('/login')
#17 /var/www/owncloud/index.php(39): OC::handleRequest()
#18 {main}",
"File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php",
"Line":104
}",
"level":3,
"time":"2016-08-23T06:03:08+00:00",
"method":"POST",
"url":"/index.php/login","user":"--"}
{"reqId":"PEaoW0KkIpTbe3dR3OT7",
"remoteAddr":"192.168.100.15"
,"app":"user_ldap",
"message":"Exception: {
Exception":"Exception",
"Message":"No user available for the given login name on 10.90.2.23:10389",
"Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120):
OCA-User_LDAP-User_LDAP->getLDAPUserByLoginName('domain.username...')
#1 [internal function]: OCA-User_LDAP-User_LDAP->checkPassword( sensitive parameters replaced )
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array)
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139): OCA-User_LDAP-User_Proxy->walkBackends('domain.username...', 'checkPassword', Array)
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182):
OCA-User_LDAP-Proxy->handleRequest('domain.username...', 'checkPassword', Array)
#5 /var/www/owncloud/lib/private/User/Manager.php(190):
OCA-User_LDAP-User_Proxy->checkPassword( sensitive parameters replaced )
#6 /var/www/owncloud/lib/private/User/Session.php(591):
OC-User-Manager->checkPassword( sensitive parameters replaced )
#7 /var/www/owncloud/lib/private/User/Session.php(626):
OC-User-Session->checkTokenCredentials(Object(OC-Authentication-Token-DefaultToken), 'vphb8idv8kgpc4i...')
#8 /var/www/owncloud/lib/private/User/Session.php(221):
OC-User-Session->validateToken( sensitive parameters replaced ***)
#9 /var/www/owncloud/lib/private/User/Session.php(196): OC-User-Session->validateSession()
#10 /var/www/owncloud/lib/private/App/AppManager.php(152): OC-User-Session->getUser()
#11 /var/www/owncloud/lib/private/legacy/app.php(313): OC-App-AppManager->isEnabledForUser('user_webdavauth')
#12 /var/www/owncloud/lib/public/App.php(131): OC_App::isEnabled('user_webdavauth')
#13 /var/www/owncloud/apps/user_ldap/appinfo/app.php(72): OCP-App::isEnabled('user_webdavauth')
#14 /var/www/owncloud/lib/private/legacy/app.php(186): require_once('/var/www/ownclo...')
#15 /var/www/owncloud/lib/private/legacy/app.php(149): OC_App::requireAppFile('user_ldap')
#16 /var/www/owncloud/lib/private/legacy/app.php(119): OC_App::loadApp('user_ldap')
#17 /var/www/owncloud/lib/base.php(861): OC_App::loadApps(Array)
#18 /var/www/owncloud/index.php(39): OC::handleRequest()
#19 {main}","File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php","Line":104}",
"level":3,
"time":"2016-08-23T06:03:08+00:00",
"method":"GET",
"url":"/index.php/apps/files/",
"user":"domain.username"}

@DeepDiver1975
Member

THX. Will take care

@PVince81 PVince81 closed this in #25902 Aug 24, 2016
@PVince81 PVince81 added a commit that referenced this issue Aug 24, 2016
@DeepDiver1975 @PVince81 DeepDiver1975 + PVince81 Don't log credentials of LoginController::tryLogin (#25902)
* Don't log credentials of LoginController::tryLogin - fixes #25895

* Don't log password in loginWithPassword
c1aa090
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Aug 24, 2016
@DeepDiver1975 @DeepDiver1975 DeepDiver1975 + DeepDiver1975 [stable9.1] Don't log credentials of LoginController::tryLogin (#25902)
* Don't log credentials of LoginController::tryLogin - fixes #25895

* Don't log password in loginWithPassword
7609b7a
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Aug 29, 2016
@DeepDiver1975 DeepDiver1975 [stable9.1] Don't log credentials of LoginController::tryLogin (#25902)…
… (#25935)

* Don't log credentials of LoginController::tryLogin - fixes #25895

* Don't log password in loginWithPassword
74c2c63
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment