[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1744609] Re: operation log: user passwords are logged by default setting

** Information type changed from Public Security to Public

** Tags added: security

You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.

  operation log: user passwords are logged by default setting

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  If the operation log is enabled (disabled by default) and the default value of OPERATION_LOG_OPTIONS['mask_fields'] is used, when a user tries to change his/her password from "Change Password" panel (http://<dashboard-site>/settings/password/), both current and new passwords will be logged in the operation log like below.
  The same thing happens in "Change Password" action in the Identity User panel.
  [None] [None] [demo] [d65075f0e4964b8d9ccb57ddcce8fbbb] [admin] [c90eec6eb48d4bcc988e8cebf9ce80fa] [http] [/settings/password/] [/settings/password/] [error: Unauthorized: Unable to change password., error: Unauthorized. Please try logging in again.] [POST] [403] [{"fake_email": "", "fake_password": "", "new_password": "NEW-PASSWORD", "confirm_password": "NEW-PASSWORD", "current_password": "CURRENT-PASSWORD", "csrfmiddlewaretoken": "SEuuWLJlUPNUZzC6aCQkIQxyFuQPCjcahqnuZ8CYthDd4GNr76UC5EQYTAZzbdeo"}]

  The default value of OPERATION_LOG_OPTIONS['mask_fields'] should
  include "current_password", "new_password" and "confirm_password".

  Operators who enable the operation log feature are recommended to set
  OPERATION_LOG_OPTIONS['mask_fields'] to ['password',
  'current_password', 'new_password', 'confirm_password'] in

To manage notifications about this bug go to: