TeamPass icon indicating copy to clipboard operation
TeamPass copied to clipboard

Published 20 hours ago verified publisher icon nilsteampassnet

Error migratePassword - clear text password in logs

Open sjsarg opened this issue 1 year ago • 1 comments

Steps to reproduce

  1. ldap user login on 3.0.6
  2. user change LDAP password
  3. migrate from 3.0.6 to 3.1.1.53
  4. user clear browser cache and try to login (with last ldap password). Can't login
  5. migrate from 3.1.1.53 to 3.1.1.74
  6. user clear browser cache and try to login. Same error

Expected behaviour

  • user can login to Teampass
  • if an error occurs, user password should not be written to log

Actual behaviour

  • user gets error 500 and can not login
  • user name and password (clear text) are writteng in logfile

Server configuration

Operating system: ubuntu 20.04.6 Docker

Web server: nginx version: nginx/1.24.0

Database: percona 8.0.27-18

PHP version: PHP 8.2.7 (cli) (built: Jun 9 2023 00:43:37) (NTS)

Teampass version: 3.1.1.74

Teampass configuration file:

Updated from an older Teampass or fresh install: upgrade from 3.0.6 to 3.1.1.53 upgrade from 3.1.1.53 to 3.1.1.74

Client configuration

Browser: Chrome

Operating system: Ubuntu

Logs

Web server error log

"NOTICE: PHP message: PHP Fatal error:  Uncaught Exception: Password is not correct in /var/www/html/vendor/teampassclasses/passwordmanager/src/PasswordManager.php:77"
"Stack trace:"
"#0 /var/www/html/sources/identify.php(1405): TeampassClasses\PasswordManager\PasswordManager->migratePassword('$2yxxxxx...', 'PASSWORD-IN-CLEAR-TEXT...', 1xxxxxx)"
"#1 /var/www/html/sources/identify.php(1314): finalizeAuthentication(Array, 'PASSWORD-IN-CLEAR-TEXT...', Array)"
"#2 /var/www/html/sources/identify.php(2259): authenticateThroughAD('USER.NAME', Array, 'PASSWORD-IN-CLEAR-TEXT...', Array)"
"#3 /var/www/html/sources/identify.php(328): identifyDoLDAPChecks(Array, Array, 'USER.NAME', 'PASSWORD-IN-CLEAR-TEXT...', 0, '', 3)"
"#4 /var/www/html/sources/identify.php(162): identifyUser('eyXXXX...', Array)"
"#5 /var/www/html/sources/identify.php(194): handleAuthAttempts('eyXXXX...', Array)"
"#6 {main}"
"  thrown in /var/www/html/vendor/teampassclasses/passwordmanager/src/PasswordManager.php on line 77"

Log from the web-browser developer console (CTRL + SHIFT + i)

Insert the log here and especially the answer of the query that failed.

sjsarg avatar Feb 21 '24 17:02 sjsarg