[Openstack-security] [Bug 1744609] Re: operation log: user passwords are logged by default setting
Jeremy Stanley
fungi at yuggoth.org
Sat Feb 17 14:14:24 UTC 2018
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1744609
Title:
operation log: user passwords are logged by default setting
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
If the operation log is enabled (disabled by default) and the default value of OPERATION_LOG_OPTIONS['mask_fields'] is used, when a user tries to change his/her password from "Change Password" panel (http://<dashboard-site>/settings/password/), both current and new passwords will be logged in the operation log like below.
The same thing happens in "Change Password" action in the Identity User panel.
----
[None] [None] [demo] [d65075f0e4964b8d9ccb57ddcce8fbbb] [admin] [c90eec6eb48d4bcc988e8cebf9ce80fa] [http] [/settings/password/] [/settings/password/] [error: Unauthorized: Unable to change password., error: Unauthorized. Please try logging in again.] [POST] [403] [{"fake_email": "", "fake_password": "", "new_password": "NEW-PASSWORD", "confirm_password": "NEW-PASSWORD", "current_password": "CURRENT-PASSWORD", "csrfmiddlewaretoken": "SEuuWLJlUPNUZzC6aCQkIQxyFuQPCjcahqnuZ8CYthDd4GNr76UC5EQYTAZzbdeo"}]
----
The default value of OPERATION_LOG_OPTIONS['mask_fields'] should
include "current_password", "new_password" and "confirm_password".
Operators who enable the operation log feature are recommended to set
OPERATION_LOG_OPTIONS['mask_fields'] to ['password',
'current_password', 'new_password', 'confirm_password'] in
local_settings.py.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1744609/+subscriptions
More information about the Openstack-security
mailing list