[Openstack-security] [Bug 1575909] Re: VPN shared PSK shown in plaintext

Rob Cresswell rcresswe at cisco.com
Wed Feb 15 10:05:47 UTC 2017 

Submitting patches automatically updates Launchpad. Please don't modify
the status to In Progress manually.

** Changed in: horizon
       Status: In Progress => New

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1575909

Title:
  VPN shared PSK shown in plaintext

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  In the neutron VPN details and form,
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43
  and
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249
  don't offer the option of hiding the string. Typically sensitive
  information like passwords is hidden by default, requiring the user to
  explicitly choose to make it visible by clicking an icon (like the eye
  icon).

  Filing this as a security bug out of an overabundance of caution;
  while it is related to security it doesn't describe a vulnerability
  that can be exploited by means other than shoulder surfing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions

More information about the Openstack-security mailing list