A user.login or system.connect request via XMLRPC returns the logged in user's password hash. Is that correct behavior?
<methodResponse>
<params>
<param>
<value><struct>
<member><name>sessid</name><value><string>asNTVaZ2Fc5ba_QyYR4st8-dLp1lzHYwl0VdvuQKKWA</string></value></member>
<member><name>user</name><value><struct>
<member><name>uid</name><value><string>4</string></value></member>
<member><name>name</name><value><string>player1</string></value></member>
<member><name>pass</name><value><string>$S$Dw2Jn.uKv0kabe44kkT3C27uCOvvcLlgOcoAv4qKbk/oyE50JA32</string></value></member>
<member><name>mail</name><value><string>player1@example.com</string></value></member>
<member><name>theme</name><value><string></string></value></member>
<member><name>signature</name><value><string></string></value></member>
<member><name>signature_format</name><value><string>filtered_html</string></value></member>
<member><name>created</name><value><string>1314911254</string></value></member>
<member><name>access</name><value><string>1314917022</string></value></member>
<member><name>login</name><value><string>1314917022</string></value></member>
<member><name>status</name><value><string>1</string></value></member>
<member><name>timezone</name><value><string>America/Chicago</string></value></member>
<member><name>language</name><value><string></string></value></member>
<member><name>picture</name><value><string>0</string></value></member>
<member><name>init</name><value><string>player1@example.com</string></value></member>
<member><name>data</name><value><boolean>0</boolean></value></member>
<member><name>sid</name><value><string>asNTVaZ2Fc5ba_QyYR4st8-dLp1lzHYwl0VdvuQKKWA</string></value></member>
<member><name>ssid</name><value><string></string></value></member>
<member><name>hostname</name><value><string>127.0.0.1</string></value></member>
<member><name>timestamp</name><value><string>1314917022</string></value></member>
<member><name>cache</name><value><string>0</string></value></member>
<member><name>session</name><value><string></string></value></member>
<member><name>roles</name><value><struct>
<member><name>2</name><value><string>authenticated user</string></value></member>
</struct></value></member>
</struct></value></member>
</struct></value>
</param>
</params>
</methodResponse>
| Comment | File | Size | Author |
|---|---|---|---|
| #12 | 0001-Issue-1267212-by-marcingy-Password-hash-leakage.patch | 2.51 KB | ygerasimov |
| #10 | hash-leak-v3.patch | 2.08 KB | marcingy |
| #7 | hash-leak-v2.patch | 2.08 KB | marcingy |
| #2 | hash-leak.patch | 985 bytes | marcingy |
Comments
Comment #1
kylebrowning commentedNo its being removed.
Comment #2
marcingy commentedInital patch needs tests still just want to confirm that this is all areas that need changed
Comment #4
marcingy commentedBad test bot..your inability to enable ctools is sad :(
Comment #5
wedge commentedShouldn't this be indented one more space?
And with the patch I still get hash leaks on user/login and system/connect.
Comment #6
marcingy commentedI pretty well knew I was going to miss some areas.
I'll update the patch tonight to include those additional places and hopefully get the tests in place as well.
Comment #7
marcingy commentedBetter version of the patch still needs tests.
* Strips data in
- system connect
- user index
- user update
- user login
Comment #8
ygerasimov commentedThis should be
services_remove_user_data($result);As it is not big change I don't think we should have separate test for this patch. I also looked through the code of resources and think that marcingy covered all cases we needed to sanitize the user object.
Comment #9
kylebrowning commentedLooks good too me, I'm unsure on the pass by reference issue, was this tested on 5.3?
Comment #10
marcingy commentedpass by reference is a bug and comes from a mindless cut and paste session :)
Comment #11
kylebrowning commentedlooks good!
Comment #12
ygerasimov commentedPatch from #10 misses semicolon. Here is the same one. Please commit it.
Comment #13
kylebrowning commentedComment #14
kylebrowning commented