#3356 pam password exposure via syslog

1.450
closed-fixed
5
2009-03-20
2009-03-20
Danny Sauer
No

When using full pam conversations and "log authentication failures to syslog" checked, I would occasionally have a failed login and the password would be logged to syslog as if it was the username. The log message has been purged, but I recall is at "invalid user xxx" where xxx was the password of the user attempting to log in.

I haven't looked closely at the code yet, but it appears that the session code was getting confused. This happens when using IE 6.0 under Windows 2000. Sessions occasionally get messed up anyway, so this may be more of a cookie handling problem with IE than a specific pam issue. I'm inclined to beleive it's a session issue, as the username and password pair were correct. I can not replicate the problem, but when it happens, it consistently happens until miniserv is restarted - then the problem goes away.

I think the password exposure could be avoided by including a hidden field in the form noting what is actually being asked for, and possibly one tracking the username (if it's possible to definitvely identify the username in all cases)...

Discussion

  • Jamie Cameron

    Jamie Cameron - 2009-03-20
    • status: open --> closed-fixed
     
  • Jamie Cameron

    Jamie Cameron - 2009-03-20

    Ok, I see from the code how this could happen. I'll fix it in the next Webmin release.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks