Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: The LDAP password is visible in plain text in logs #39035

Closed
5 of 8 tasks
Chifilly opened this issue Jun 27, 2023 · 2 comments
Closed
5 of 8 tasks

[Bug]: The LDAP password is visible in plain text in logs #39035

Chifilly opened this issue Jun 27, 2023 · 2 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug

Comments

@Chifilly
Copy link

⚠️ This issue respects the following points: ⚠️

Bug description

In helping diagnose and troubleshoot #38902 I had to post logs of running some commands on my instance. I noticed when doing this that the LDAP password is shown in plain text in the ldap_bind log as below;

{
	"reqId": "1IAV3J2CIoke20M2s8OF",
	"level": 0,
	"time": "2023-06-27T12:45:02+00:00",
	"remoteAddr": "",
	"user": "--",
	"app": "user_ldap",
	"method": "",
	"url": "--",
	"message": "Calling LDAP function ldap_bind with parameters [{},\"cn=admin,ou=users,dc=nextcloud,dc=allsopp,dc=local\",\"<PLAINTEXT PASSWORD>\"]",
	"userAgent": "--",
	"version": "27.0.0.8",
	"data": {
		"app": "user_ldap"
	}
}

Steps to reproduce

  1. Run the command NC_debug=true NC_loglevel=0 php -f occ dav:sync-system-addressbook
  2. Check the nextcloud.log file in data
  3. The password is visible in plain text in the ldap_bind log line

Expected behavior

It gets run through the same process that causes other sensitive parameters to be replaced with *** sensitive parameters replaced *** so the password isn't visible in plain text

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REDACTED***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "27.0.0.8",
        "overwrite.cli.url": "***REDACTED***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "overwritehost": "***REDACTED***",
        "overwriteprotocol": "https",
        "loglevel": "0",
        "maintenance": false,
        "app_install_overwrite": [
            "officeonline"
        ],
        "has_rebuilt_cache": true,
        "theme": "",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl"
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0
  - calendar: 4.4.2
  - circles: 27.0.0
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.3.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_pdfviewer: 2.8.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud_announcements: 1.16.0
  - notes: 4.8.0
  - notifications: 2.15.0
  - oauth2: 1.15.0
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - quota_warning: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - support: 1.10.0
  - survey_client: 1.15.0
  - suspicious_login: 5.0.0
  - systemtags: 1.17.0
  - tasks: 0.15.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_totp: 9.0.0
  - updatenotification: 1.17.0
  - user_ldap: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - encryption: 2.15.0 (installed 2.12.0)
  - files_external: 1.19.0
  - files_fulltextsearch: 26.0.0 (installed 26.0.0)
  - fulltextsearch: 26.0.0 (installed 26.0.0)
  - groupfolders: 14.0.2 (installed 14.0.2)
  - holiday_calendars: 0.3.0 (installed 0.3.0)
  - onlyoffice: 7.8.0 (installed 7.8.0)
  - richdocuments: 8.0.2 (installed 8.0.2)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{
	"reqId": "1IAV3J2CIoke20M2s8OF",
	"level": 0,
	"time": "2023-06-27T12:45:02+00:00",
	"remoteAddr": "",
	"user": "--",
	"app": "user_ldap",
	"method": "",
	"url": "--",
	"message": "Calling LDAP function ldap_bind with parameters [{},\"cn=admin,ou=users,dc=nextcloud,dc=allsopp,dc=local\",\"<PLAINTEXT PASSWORD>\"]",
	"userAgent": "--",
	"version": "27.0.0.8",
	"data": {
		"app": "user_ldap"
	}
}

Additional info

No response
@Chifilly Chifilly added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Jun 27, 2023
@come-nc
Copy link
Contributor

come-nc commented Jun 27, 2023

Duplicate of #38461

@come-nc come-nc marked this as a duplicate of #38461 Jun 27, 2023
@szaimen szaimen closed this as completed Jun 27, 2023
@Chifilly
Copy link
Author

Apologies. I did a search but must have missed it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Chifilly @szaimen @come-nc