The user's password is displayed in plain text.

[Danilovt]

The situation occurs when Teampass is configured with Active Directory and multi-factor authentication.

Steps to reproduce

1. Open browser's developer tool.
2. Enter a valid Active Directory account on login screen.
3. Enter any password.
4. Leave the identification field blank or enter a wrong one.
5. Click log in button

Expected behaviour

An LDAP error is displayed and password should not be identifiable.

Actual behaviour

An LDAP error is displayed, but password is also shown in plain text in console.

Server configuration

Operating system: Alpine Linux v3.12 with docker compose

Web server: nginx 1.25.3

Database: mysql-server 5.7

PHP version: 7.4.9

Teampass version: 3.0.10

Teampass configuration file: 'max_latest_items' => '10', 'enable_favourites' => '1', 'show_last_items' => '1', 'enable_pf_feature' => '0', 'log_connections' => '0', 'log_accessed' => '1', 'time_format' => 'H:i:s', 'date_format' => 'd/m/Y', 'duplicate_folder' => '1', 'item_duplicate_in_same_folder' => '0', 'duplicate_item' => '1', 'number_of_used_pw' => '3', 'manager_edit' => '1', 'cpassman_dir' => '/var/www/html', 'cpassman_url' => 'https://xxx', 'favicon' => 'https://xxx/favicon.ico', 'path_to_upload_folder' => '/var/www/html/upload', 'url_to_upload_folder' => 'https://xxx/upload', 'path_to_files_folder' => '/var/www/html/files', 'url_to_files_folder' => 'https://xxx/files', 'activate_expiration' => '0', 'pw_life_duration' => '0', 'maintenance_mode' => '0', 'enable_sts' => '0', 'encryptClientServer' => '1', 'cpassman_version' => '3.0.0.21', 'ldap_mode' => '1', 'ldap_type' => 'ActiveDirectory', 'ldap_suffix' => '@xxx', 'ldap_domain_dn' => 'OU=xxx', 'ldap_domain_controler' => 'xxx', 'ldap_user_attribute' => 'samaccountname', 'ldap_ssl' => '0', 'ldap_tls' => '0', 'ldap_search_base' => '0', 'ldap_port' => '389', 'richtext' => '0', 'allow_print' => '1', 'roles_allowed_to_print' => '["["["["["1","2"]"]"]"]"]', 'show_description' => '1', 'anyone_can_modify' => '0', 'anyone_can_modify_bydefault' => '0', 'nb_bad_authentication' => '0', 'utf8_enabled' => '1', 'restricted_to' => '0', 'restricted_to_roles' => '0', 'enable_send_email_on_user_login' => '0', 'enable_user_can_create_folders' => '0', 'insert_manual_entry_item_history' => '0', 'enable_kb' => '0', 'enable_email_notification_on_item_shown' => '0', 'enable_email_notification_on_user_pw_change' => '0', 'custom_logo' => 'https://xxx', 'custom_login_text' => 'Cofre', 'default_language' => 'english', 'send_stats' => '0', 'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;', 'send_stats_time' => '1614542739', 'get_tp_info' => '1', 'send_mail_on_user_login' => '0', 'nb_items_by_query' => 'auto', 'enable_delete_after_consultation' => '0', 'enable_personal_saltkey_cookie' => '0', 'personal_saltkey_cookie_duration' => '31', 'email_smtp_server' => 'xxx', 'email_smtp_auth' => '', 'email_auth_username' => '', 'email_auth_pwd' => '', 'email_port' => '25', 'email_security' => '', 'email_server_url' => '', 'email_from' => 'nao-responder@xxx', 'email_from_name' => 'Cofre', 'pwd_maximum_length' => '60', 'google_authentication' => '1', 'delay_item_edition' => '0', 'allow_import' => '1', 'proxy_ip' => '', 'proxy_port' => '', 'upload_maxfilesize' => '10mb', 'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx', 'upload_imagesext' => 'jpg,jpeg,gif,png', 'upload_pkgext' => '7z,rar,tar,zip', 'upload_otherext' => 'sql,xml,yml,yaml', 'upload_imageresize_options' => '1', 'upload_imageresize_width' => '800', 'upload_imageresize_height' => '600', 'upload_imageresize_quality' => '90', 'use_md5_password_as_salt' => '0', 'ga_website_name' => 'Cofre', 'api' => '1', 'subfolder_rights_as_parent' => '1', 'show_only_accessible_folders' => '0', 'enable_suggestion' => '0', 'otv_expiration_period' => '7', 'default_session_expiration_time' => '60', 'duo' => '0', 'enable_server_password_change' => '0', 'ldap_object_class' => '0', 'bck_script_path' => '/var/www/html/backups', 'bck_script_filename' => '', 'syslog_enable' => '0', 'syslog_host' => 'localhost', 'syslog_port' => '514', 'manager_move_item' => '0', 'create_item_without_password' => '0', 'otv_is_enabled' => '0', 'agses_authentication_enabled' => '0', 'item_extra_fields' => '1', 'saltkey_ante_2127' => 'none', 'migration_to_2127' => 'done', 'files_with_defuse' => 'done', 'timezone' => 'America/Sao_Paulo', 'enable_attachment_encryption' => '1', 'personal_saltkey_security_level' => '50', 'ldap_new_user_is_administrated_by' => '0', 'disable_show_forgot_pwd_link' => '1', 'offline_key_level' => '0', 'enable_http_request_login' => '0', 'ldap_and_local_authentication' => '1', 'secure_display_image' => '1', 'upload_zero_byte_file' => '0', 'upload_all_extensions_file' => '0', 'bck_script_passkey' => 'xxx', 'admin_2fa_required' => '0', 'can_create_root_folder' => '1', 'ga_reset_by_user' => '1', 'bck_script_key' => '', 'password_overview_delay' => '4', 'roles_allowed_to_print_select' => '', 'clipboard_life_duration' => '30', 'mfa_for_roles' => '', 'tree_counters' => '0', 'settings_offline_mode' => '1', 'settings_tree_counters' => '0', 'copy_to_clipboard_small_icons' => '1', 'enable_massive_move_delete' => '0', 'email_debug_level' => '0', 'onthefly-backup-key' => '', 'onthefly-restore-key' => '', 'ldap_user_dn_attribute' => 'distinguishedname', 'ldap_dn_additional_user_dn' => '', 'ldap_user_object_filter' => '', 'ldap_bdn' => 'xxx', 'ldap_hosts' => 'xxx', 'ldap_password' => 'XXX', 'ldap_username' => 'XXX', 'api_token_duration' => '60', 'enable_tasks_manager' => '1', 'task_maximum_run_time' => '300', 'maximum_number_of_items_to_treat' => '300', 'tasks_manager_refreshing_period' => '100', 'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER', 'enable_tasks_log' => '0', 'enable_ad_users_with_ad_groups' => '1', 'enable_ad_user_auto_creation' => '0', 'ldap_group_object_filter' => '(objectClass=group)', 'ldap_guid_attibute' => 'objectguid', 'sending_emails_job_frequency' => '2', 'user_keys_job_frequency' => '1', 'items_statistics_job_frequency' => '5', 'reload_cache_table_task' => '', 'rebuild_config_file' => '', 'purge_temporary_files_task' => '', 'clean_orphan_objects_task' => '', 'users_personal_folder_task' => '', 'maximum_session_expiration_time' => '120', 'items_ops_job_frequency' => '1', 'upgrade_timestamp' => '1702474708', 'teampass_version' => '3.0.10', 'duo_ikey' => 'admin',

**Updated from an older Teampass or fresh install:**Updated from older version PLEASE attach to this issue the file /includes/config/tp.config.php.

Client configuration

**Browser:**Google chrome

**Operating system:**Windows 10

Logs

Web server error log

teampass-nginx-1        | nginx.1     | xxx xxx - - [30/Jan/2024:13:17:56 +0000] "POST /sources/identify.php HTTP/2.0" 200 985 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "172.20.0.2:80"
teampass-teampass-1     | 172.20.0.3 - - [30/Jan/2024:13:17:56 +0000] "POST /sources/identify.php HTTP/1.1" 200 997 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
teampass-nginx-1        | nginx.1     | xxx xxx - - [30/Jan/2024:13:17:57 +0000] "POST /sources/identify.php HTTP/2.0" 200 1000 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "172.20.0.2:80"
teampass-teampass-1     | 172.20.0.3 - - [30/Jan/2024:13:17:57 +0000] "POST /sources/identify.php HTTP/1.1" 200 1012 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

Log from the web-browser developer console (CTRL + SHIFT + i)

{
    "GACode": "",
    "login": "xxx",
    "pw": "PASSWORD",
    "duree_session": "60",
    "screenHeight": 588.547,
    "randomstring": "WHL2V9mbLK",
    "TimezoneOffset": 10800,
    "client": "",
    "user_2fa_selection": "google"
}