Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After upgrade from 8.2 to 9.1: plain password in owncloud.log #25895

Closed
kostas707 opened this issue Aug 22, 2016 · 3 comments · Fixed by #25902
Closed

After upgrade from 8.2 to 9.1: plain password in owncloud.log #25895

kostas707 opened this issue Aug 22, 2016 · 3 comments · Fixed by #25902
Assignees
@DeepDiver1975
Labels
security Type:Bug
Milestone
10.0

Comments

@kostas707
Copy link

kostas707 commented Aug 22, 2016
edited
Loading

OwnCloud version 9.1. When enter login on web page, plain pass is showing in owncloud.log

Steps to reproduce

Open OwnCloud web page, enter login on web page and enter:
user: aaaaa
password: bbbbb

user: aaaaa
password: bbbbb

{"reqId":"tAboChzhlAec4q9vgwvN","remoteAddr":"192.168.100.15","app":"user_ldap","message":"Exception: {"Exception":"Exception","Message":"No user available for the given login name on 10.90.2.23:10389","Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120): OCA \User_LDAP \User_LDAP->getLDAPUserByLoginName('aaaaa') n
#1 [internal function]: OCA \User_LDAP \User_LDAP->checkPassword(*** sensitive parameters replaced *) n
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array) n
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139): OCA \User_LDAP \User_Proxy->walkBackends('aaaaa', 'checkPassword', Array) n
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182): OCA \User_LDAP \Proxy->handleRequest('aaaaa', 'checkPassword', Array) n
#5 /var/www/owncloud/lib/private/User/Manager.php(190): OCA \User_LDAP \User_Proxy->checkPassword(* sensitive parameters replaced *) n
#6 /var/www/owncloud/core/Controller/LoginController.php(177): OC \User \Manager->checkPassword(* sensitive parameters replaced ***) n
#7 [internal function]: OC \Core \Controller \LoginController->

tryLogin('aaaaa', 'bbbbb', NULL) n
#8 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array) n
#9 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89): OC \AppFramework \Http \Dispatcher->executeController(Object(OC \Core \Controller \LoginController), 'tryLogin') n
#10 /var/www/owncloud/lib/private/AppFramework/App.php(110): OC \AppFramework \Http \Dispatcher->dispatch(Object(OC \Core \Controller \LoginController), 'tryLogin') n
#11 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC \AppFramework \App::main('LoginController', 'tryLogin', Object(OC \AppFramework \DependencyInjection \DIContainer), Array) n
#12 [internal function]: OC \AppFramework \Routing \RouteActionHandler->__invoke(Array) n
#13 /var/www/owncloud/lib/private/Route/Router.php(280): call_user_func(Object(OC \AppFramework \Routing \RouteActionHandler), Array) n
#14 /var/www/owncloud/lib/base.php(891): OC \Route \Router->match('/login') n
#15 /var/www/owncloud/index.php(39): OC::handleRequest() n
#16 {main}","File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php","Line":104}","level":3,"time":

"2016-08-22T10:53:35+00:00",
"method":"POST",
"url":"/index.php/login?user=aaaaa","user":"--"}
{"reqId":"tAboChzhlAec4q9vgwvN",
"remoteAddr":"192.168.100.15",
"app":"user_ldap",
"message":"Exception: {"Exception":"Exception","Message":
"No user available for the given login name on 192.168.1.14:3268","Code":0,"Trace":"

Expected behaviour

in OwnCloud 8.2 version with same loglevel there was none plain passwords.

Server configuration

Debian 8
Apache/2.4.10 (Debian)
mysql Ver 14.14 Distrib 5.5.44, for debian-linux-gnu (x86_64) using readline 6.3
PHP 5.6.9-0+deb8u1 (cli) (built: Jun 5 2015 11:03:27)
OwnCloud 9.1
version updated:

  1. sudo -u www-data php occ maintenance:mode --on
  2. /etc/init.d/apache2 stop
  3. gunzip owncloud-files_9.1.0.orig.tar.gz | tar xvf -
  4. chown -hR www-data:www-data owncloud/
  5. bkp: config/ and data/ directory.
  6. rm -rf old files and copy new one (except config/config.php)
  7. /etc/init.d/apache2 restart
  8. cd /var/www/owncloud
  9. sudo -u www-data php occ upgrade

Where did you install ownCloud from:
http://download.owncloud.org/download/repositories/9.1.0/Debian_8.0/owncloud-files_9.1.0.orig.tar.gz

Signing status (ownCloud 9.0 and above):

http://example.com/index.php/settings/integrity/failed - paste the results here:
No errors have been found.

**List of activated apps:**

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder

Enabled:
- dav: 0.2.5
- federatedfilesharing: 0.3.0
- files: 1.5.1
- user_ldap: 0.9.0

Disabled:
- activity
- comments
- encryption
- external
- federation
- files_antivirus
- files_external
- files_pdfviewer
- files_sharing
- files_texteditor
- files_trashbin
- files_versions
- files_videoplayer
- firstrunwizard
- gallery
- notifications
- provisioning_api
- systemtags
- templateeditor
- updatenotification
- user_external

**The content of config/config.php:**
# cat config.php

<?php
$CONFIG = array (
  'instanceid' => 'instance_id',
  'passwordsalt' => 'pAsSwOrDsAlT',
  'secret' => 'SeCrEt',
  'trusted_domains' => 
  array (
    0 => 'domain.domain.org',
  ),
  'datadirectory' => '/var/www/owncloud/data',
  'overwrite.cli.url' => 'http://files.files.org/owncloud',
  'dbtype' => 'mysql',
  'version' => '9.1.0.15',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'forcessl' => true,
  'forceSSLforSubdomains' => true,
  'session_lifetime' => 28800,
  'mail_from_address' => 'owncloud',
  'mail_domain' => 'domain.org',
  'mail_smtphost' => 'smtp.smtp.org',
  'mail_smtpport' => '25',
  'ldapIgnoreNamingRules' => false,
  'preview_libreoffice_path' => '/usr/bin/libreoffice',
  'loglevel' => '4',
  'maintenance' => false,
  'dbname' => 'owncloud',
  'dbhost' => '127.0.0.1',
  'dbuser' => 'username',
  'dbpassword' => 'pass',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto',
);

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder
root@sfiles:/var/www/owncloud# sudo -u www-data php occ config:list system
{
"system": {
"instanceid": "instanceid",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"sfiles.sfiles.org"
],
"datadirectory": "/var/www/owncloud/data",
"overwrite.cli.url": "http:/\files.files.org/owncloud",
"dbtype": "mysql",
"version": "9.1.0.15",
"installed": true,
"mail_smtpmode": "smtp",
"forcessl": true,
"forceSSLforSubdomains": true,
"session_lifetime": 28800,
"mail_from_address": "owncloud",
"mail_domain": "files.org",
"mail_smtphost": "smtp.smtp.org",
"mail_smtpport": "25",
"ldapIgnoreNamingRules": false,
"preview_libreoffice_path": "/usr/bin/libreoffice",
"loglevel": "4",
"maintenance": false,
"dbname": "owncloud",
"dbhost": "127.0.0.1",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"theme": "",
"trashbin_retention_obligation": "auto"
}
}
root@files:/var/www/owncloud#
or

Are you using external storage, if yes which one: local/smb/sftp/...
no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
Ldap and Active Directory
@blizzz blizzz mentioned this issue Aug 22, 2016
Merged
@DeepDiver1975 DeepDiver1975 self-assigned this Aug 22, 2016
@DeepDiver1975 DeepDiver1975 added this to the 9.2 milestone Aug 22, 2016
@DeepDiver1975 DeepDiver1975 mentioned this issue Aug 22, 2016
Merged
DeepDiver1975 added a commit that referenced this issue Aug 22, 2016
@DeepDiver1975
Don't log credentials of LoginController::tryLogin - fixes #25895
b29f1c9
@kostas707
Copy link
Author

hanks, for quick response. I've checked #25902. When login with fake user, no password is showing. But when connect with exist Domain userna me and password is correct, then password is still in log.

{"reqId":"MTRK5tqbshYzakztCAoW","remoteAddr":"192.168.100.15",
"app":"user_ldap",
"message":"Exception: {
"Exception":"Exception",
"Message":"No user available for the given login name on 10.90.2.23:10389",
"Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120):
OCA-User_LDAP-User_LDAP->getLDAPUserByLoginName('domain.username...')
#1 [internal function]: OCA-User_LDAP-User_LDAP->checkPassword(*** sensitive parameters replaced )
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array)
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139):
OCA-User_LDAP-User_Proxy->walkBackends('domain.username...', 'checkPassword', Array)
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182):
OCA-User_LDAP-Proxy->handleRequest('domain.username...', 'checkPassword', Array)
#5 /var/www/owncloud/lib/private/User/Manager.php(190):
OCA-User_LDAP-User_Proxy->checkPassword( sensitive parameters replaced )
#6 /var/www/owncloud/core/Controller/LoginController.php(177):
OC-User-Manager->checkPassword( sensitive parameters replaced )
#7 [internal function]: OC-Core-Controller-LoginController->tryLogin( sensitive parameters replaced ***)
#8 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array)
#9 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89):
OC-AppFramework-Http-Dispatcher->
executeController(Object(OC-Core-Controller-LoginController), 'tryLogin')
#10 /var/www/owncloud/lib/private/AppFramework/App.php(110):
OC-AppFramework-Http-Dispatcher->dispatch(Object(OC-Core-Controller-LoginController), 'tryLogin')
#11 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46):

OC-AppFramework-App::main('LoginController', 'tryLogin',
Object(OC-AppFramework-DependencyInjection-DIContainer), Array)
#12 [internal function]: OC-AppFramework-Routing-RouteActionHandler->__invoke(Array)
#13 /var/www/owncloud/lib/private/Route/Router.php(280):
call_user_func(Object(OC-AppFramework-Routing-RouteActionHandler), Array)
#14 /var/www/owncloud/lib/base.php(891): OC-Route-Router->match('/login')
#15 /var/www/owncloud/index.php(39): OC::handleRequest()
#16 {main}","File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php","Line":104}",
"level":3,
"time":"2016-08-23T06:03:08+00:00",
"method":"POST",
"url":"/index.php/login",
"user":"--"}

{
"reqId":"MTRK5tqbshYzakztCAoW",
"remoteAddr":"192.168.100.15",
"app":"user_ldap",
"message":"Exception:
{"Exception":"Exception",
"Message":"No user available for the given login name on 10.90.2.23:10389",
"Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120):
OCA-User_LDAP-User_LDAP->getLDAPUserByLoginName('domain.username...')
#1 [internal function]: OCA-User_LDAP-User_LDAP->checkPassword(*** sensitive parameters replaced )
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array)
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139):
OCA-User_LDAP-User_Proxy->walkBackends('domain.username...', 'checkPassword', Array)
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182):
OCA-User_LDAP-Proxy->handleRequest('domain.username...', 'checkPassword', Array)
#5 /var/www/owncloud/lib/private/User/Manager.php(190):
OCA-User_LDAP-User_Proxy->checkPassword( sensitive parameters replaced )
#6 /var/www/owncloud/lib/private/User/Session.php(427):
OC-User-Manager->checkPassword( sensitive parameters replaced ***)
#7 /var/www/owncloud/lib/private/User/Session.php(287):
OC-User-Session->loginWithPassword('domain.username...',

---> 'plain_password!!!') ---<

#8 /var/www/owncloud/core/Controller/LoginController.php(196):
OC-User-Session->login(*** sensitive parameters replaced )
#9 [internal function]: OC-Core-Controller-LoginController->tryLogin( sensitive parameters replaced )
#10 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array)
#11 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89):
OC-AppFramework-Http-Dispatcher-> executeController(Object(OC-Core-Controller-LoginController), 'tryLogin')
#12 /var/www/owncloud/lib/private/AppFramework/App.php(110):
OC-AppFramework-Http-Dispatcher->dispatch(Object(OC-Core-Controller-LoginController), 'tryLogin')
#13 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46):

OC-AppFramework-App::main('LoginController', 'tryLogin', Object
(OC-AppFramework-DependencyInjection-DIContainer), Array)
#14 [internal function]: OC-AppFramework-Routing-RouteActionHandler->__invoke(Array)
#15 /var/www/owncloud/lib/private/Route/Router.php(280):
call_user_func(Object(OC-AppFramework-Routing-RouteActionHandler), Array)
#16 /var/www/owncloud/lib/base.php(891): OC-Route-Router->match('/login')
#17 /var/www/owncloud/index.php(39): OC::handleRequest()
#18 {main}",
"File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php",
"Line":104
}",
"level":3,
"time":"2016-08-23T06:03:08+00:00",
"method":"POST",
"url":"/index.php/login","user":"--"}
{"reqId":"PEaoW0KkIpTbe3dR3OT7",
"remoteAddr":"192.168.100.15"
,"app":"user_ldap",
"message":"Exception: {
Exception":"Exception",
"Message":"No user available for the given login name on 10.90.2.23:10389",
"Code":0,"Trace":"
#0 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(120):
OCA-User_LDAP-User_LDAP->getLDAPUserByLoginName('domain.username...')
#1 [internal function]: OCA-User_LDAP-User_LDAP->checkPassword( sensitive parameters replaced )
#2 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(67): call_user_func_array(Array, Array)
#3 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(139): OCA-User_LDAP-User_Proxy->walkBackends('domain.username...', 'checkPassword', Array)
#4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(182):
OCA-User_LDAP-Proxy->handleRequest('domain.username...', 'checkPassword', Array)
#5 /var/www/owncloud/lib/private/User/Manager.php(190):
OCA-User_LDAP-User_Proxy->checkPassword( sensitive parameters replaced )
#6 /var/www/owncloud/lib/private/User/Session.php(591):
OC-User-Manager->checkPassword( sensitive parameters replaced )
#7 /var/www/owncloud/lib/private/User/Session.php(626):
OC-User-Session->checkTokenCredentials(Object(OC-Authentication-Token-DefaultToken), 'vphb8idv8kgpc4i...')
#8 /var/www/owncloud/lib/private/User/Session.php(221):
OC-User-Session->validateToken( sensitive parameters replaced ***)
#9 /var/www/owncloud/lib/private/User/Session.php(196): OC-User-Session->validateSession()
#10 /var/www/owncloud/lib/private/App/AppManager.php(152): OC-User-Session->getUser()
#11 /var/www/owncloud/lib/private/legacy/app.php(313): OC-App-AppManager->isEnabledForUser('user_webdavauth')
#12 /var/www/owncloud/lib/public/App.php(131): OC_App::isEnabled('user_webdavauth')
#13 /var/www/owncloud/apps/user_ldap/appinfo/app.php(72): OCP-App::isEnabled('user_webdavauth')
#14 /var/www/owncloud/lib/private/legacy/app.php(186): require_once('/var/www/ownclo...')
#15 /var/www/owncloud/lib/private/legacy/app.php(149): OC_App::requireAppFile('user_ldap')
#16 /var/www/owncloud/lib/private/legacy/app.php(119): OC_App::loadApp('user_ldap')
#17 /var/www/owncloud/lib/base.php(861): OC_App::loadApps(Array)
#18 /var/www/owncloud/index.php(39): OC::handleRequest()
#19 {main}","File":"/var/www/owncloud/apps/user_ldap/lib/User_LDAP.php","Line":104}",
"level":3,
"time":"2016-08-23T06:03:08+00:00",
"method":"GET",
"url":"/index.php/apps/files/",
"user":"domain.username"}

@DeepDiver1975
Copy link
Member

THX. Will take care

PVince81 pushed a commit that referenced this issue Aug 24, 2016
@DeepDiver1975
Don't log credentials of LoginController::tryLogin (#25902)
c1aa090 
* Don't log credentials of LoginController::tryLogin - fixes #25895

* Don't log password in loginWithPassword
DeepDiver1975 added a commit that referenced this issue Aug 24, 2016
@DeepDiver1975
[stable9.1] Don't log credentials of LoginController::tryLogin (#25902)
7609b7a 
* Don't log credentials of LoginController::tryLogin - fixes #25895

* Don't log password in loginWithPassword
@DeepDiver1975 DeepDiver1975 mentioned this issue Aug 24, 2016
Merged
DeepDiver1975 added a commit that referenced this issue Aug 29, 2016
@DeepDiver1975
[stable9.1] Don't log credentials of LoginController::tryLogin (#25902)…
74c2c63 
… (#25935)

* Don't log credentials of LoginController::tryLogin - fixes #25895

* Don't log password in loginWithPassword
@ghost ghost mentioned this issue Sep 13, 2016
Closed
@lock
Copy link

lock bot commented Aug 3, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@DeepDiver1975 DeepDiver1975

Labels
security Type:Bug
Projects
None yet
Milestone
10.0
Development

Successfully merging a pull request may close this issue.

Don't log credentials of LoginController::tryLogin owncloud/core
2 participants
@DeepDiver1975 @kostas707