apigee-edge-drupal icon indicating copy to clipboard operation
apigee-edge-drupal copied to clipboard

Published 20 hours ago verified publisher icon apigee

Apigee Developer Portal Kickstart 9.5.11 version - Not Encrypting client credentials from client browser to network

Open mnimakwala opened this issue 11 months ago • 7 comments

Description

We have installed Apigee Developer Portal Kickstart version 9.5.11. We have observed that this module does not do encryption of user password when request is traveling from user's browser to network. At network we have enabled TLS so it request is encrypted. This leaves us in a situation to a vulnerable product. Can we enable encryption. If yes please guide. If not please share valid reason. Any plan for future releases?

Apigee Info

We are using Apigee OPDK version 4.52.00.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Go to 'Drupal login page'
  2. Enter "User id and Password"
  3. Click on 'Login button'
  4. Click on browser's 'More Tools > Developer tools > Network > Payload'

Actual Behavior

User password in plain text is visible in Payload option.

Expected Behavior

User password is expected to be visible in encrypted format.

Screenshots

NA

Notes

In any compliance driven industry this kind of behavior is prone to vulnerable

Version Info

Apigee Developer Portal Kickstart version - 9.5.11 Apigee version - 4.52.00

If any more details required please ask.

Thanks, Mustufa

mnimakwala avatar Dec 22 '24 13:12 mnimakwala

Hi @mnimakwala

Thanks for bringing this to our eyes, we will have a internal discussion on it and will update here.

kedarkhaire avatar Dec 23 '24 10:12 kedarkhaire

Hi Kedar,

Thanks for picking this up. We are eagerly looking for solution to this issue. Awaiting your quick response on this.

Thanks, Mustufa

mnimakwala avatar Dec 24 '24 07:12 mnimakwala

Hi @mnimakwala

To be very clear, this issue occurs on all Drupal versions, I checked. I will address this issue on our next to next release, I have added in our queue, but many things are in process, so it will take some time.

In the mean time, if you are having solution for this issue, we are open for your contribution on this.

Thanks!

kedarkhaire avatar Dec 26 '24 07:12 kedarkhaire

Hi Kedar,

Thanks for your quick update. Few questions I have:

  1. we have tried Encrypt and Password Encrypt module but it didnt encrypt user password. It is giving error message "Multiple Encryption of Password in User Profile form which lead to user unable to login next time." This error is not allowing us to login. Unfortunately we have to remove this module. Is this module is advisable to use in production? How can we rest assure community has given go ahead for modules to be use in Production system?
  2. We refer below url which has mentioned solution. Dont know whether any one has implemented or not? Is this something we can try out? We also need to see encryption method has latest AES-256 used for production graded module? https://durpal.stackexchange.com/questions/217952/how-do-you-force-drupal-login-to-encrypt-the-credentials https://drupal.org/project/drupal/issues/3478977
  3. As you have mentioned you have addressed this issue in next to next release. Can we know is it evaluated and added to release? What is estimated ETA for this?

Awaiting you quick response.

Thanks, Mustufa

mnimakwala avatar Dec 27 '24 06:12 mnimakwala

Hi @mnimakwala

For 1st - Using Drupal forms also provide same output, if you can see the user module is still in use with the points you mentioned.

For 2nd - The 1st link is not working - so cannot refer the point & for your issue, Jay has already created the issue on Drupal core module 'user', so if it the changes are added by Drupal community there, we can also test the same in our forms.

For 3rd - I wanted to say that, we can consider for next to next release, but currently there is no solution resolution present for it, so it is not yet evaluated for grooming also. Once we achieve that, then with proper solution, it will be discussed here. Apologies, I used the release word earlier, that caused a misunderstanding for it.

Thanks!

kedarkhaire avatar Dec 27 '24 09:12 kedarkhaire

Hi Kedar or Drupal Team Fellow,

Opening up to our last year communication, we would like to know do we have any community solution available for public use on below original ask: "We have observed that this module does not do encryption of user password when request is traveling from user's browser to network."

Can you please update us on this.

mnimakwala avatar Oct 09 '25 07:10 mnimakwala

Hi @mnimakwala

As discussed earlier, the forms are made using existing Drupal user interface. So same Drupal functionalities are applied here. Also as said, here the said points are discussed by the Drupal community.

Thanks!

kedarkhaire avatar Oct 13 '25 09:10 kedarkhaire