[Openstack-security] [Bug 1575909] Re: VPN shared PSK shown in plaintext

OpenStack Infra 1575909 at bugs.launchpad.net
Thu Mar 2 22:25:28 UTC 2017 

Reviewed:  https://review.openstack.org/440736
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=7a1a8b373935904ce0701f3c3758ec1f56c243ea
Submitter: Jenkins
Branch:    stable/mitaka

commit 7a1a8b373935904ce0701f3c3758ec1f56c243ea
Author: Julie Gravel <julie.gravel at hpe.com>
Date:   Wed Feb 15 12:08:12 2017 -0800

    Make VPN IPSec Site Connection PSK field hidden
    
    The Pre-Shared Key (PSK) field on the VPN IPSec Site Connection tab
    should not be displayed in plain text due to security concerns. Set
    the PSK field in the Add Connection and the Edit Connection dialogs
    to be a password field to provide the user some protection when
    entering the value. Remove the PSK field from the details page since
    this is the pattern used with the password field in Identity Users
    panel.
    
    Change-Id: I4dd713f01b02c29d9822efcb519de60fd9d035e6
    Close-Bug: #1575909
    (cherry picked from commit 5137dc4fdd19de3494293731abffdfb7e5b26449)


** Tags added: in-stable-mitaka

** Tags added: in-stable-newton

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1575909

Title:
  VPN shared PSK shown in plaintext

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  In the neutron VPN details and form,
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43
  and
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249
  don't offer the option of hiding the string. Typically sensitive
  information like passwords is hidden by default, requiring the user to
  explicitly choose to make it visible by clicking an icon (like the eye
  icon).

  Filing this as a security bug out of an overabundance of caution;
  while it is related to security it doesn't describe a vulnerability
  that can be exploited by means other than shoulder surfing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions

More information about the Openstack-security mailing list