kibana2 icon indicating copy to clipboard operation
kibana2 copied to clipboard

Published 20 hours ago verified publisher icon rashidkpc

Kibana auth branch blanks passwords when setting groups / permitted tags

Open chorsley opened this issue 11 years ago • 2 comments

In the kibana-ruby-auth branch, changing a user's details may unintentionally set their password to an empty string, allowing logins with no password. To replicate:

  • Log in as admin
  • Visit /auth/admin
  • Create a regular user with password
  • Verify new user can log in via password
  • As admin, change this user's Allowed Tags. Leave "New Pass" field blank before Save Changes, expecting this will keep the current password.
  • Can now log in with this username and a blank password.

This is serious and also subtle, since there's no notification that the admin has reset the password to an empty string.

chorsley avatar Mar 04 '13 23:03 chorsley

I had a look at this. Try the "fix_password" branch in my Kibana repository. I'll make a pull request if it is fully functional for you.

dav3860 avatar Mar 07 '13 08:03 dav3860

Just gave it a try, and it fixes the problem listed above. Thanks for the quick response!

chorsley avatar Mar 08 '13 13:03 chorsley