View Issue Details

IDProjectCategoryView StatusLast Update
0005172unrealircdpublic2018-12-19 13:04
ReporterJellisAssigned Tosyzop 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.2.0 
Target Version4.2.1Fixed in Version4.2.1 
Summary0005172: Hide remote includes auth information
DescriptionWhen a remote include can not be accessed, the IRCd outputs a warning to all operators the file can not be read/found/accessed/... and using the cached version instead, this is great! However, when those links have a password protection (they CAN contain sensetive information like plain passwords in some cases) an oper *could* get access to passwords he/she is not entitled too because the output of the warning also gives the link username:password information wich should be masked for security reasons.

-irc.sever.example- *** [warning] /home/serverexample/unrealircd/conf/unrealircd.conf:1: include: error downloading 'https://MASKED:MASKED@server.example/irc-server-config/server.conf': Operation timed out after 15001 milliseconds with 0 out of 0 bytes received -- using cached version instead.
Steps To ReproduceHave a password protected include file in unrealircd.conf wich is not accessible.
Additional InformationThe MASKED:MASKED should be hidden or masked instead of showing the auth credentials.
TagsNo tags attached.
3rd party modules

Activities

syzop

2018-12-17 17:26

administrator   ~0020409

Thanks for the report. Will definitely look at that.

syzop

2018-12-19 13:04

administrator   ~0020410

Fixed, thanks again! It now shows as http://***:***@host/etc/etc/etc

https://github.com/unrealircd/unrealircd/commit/56a964bba1c18210c4d90e5ca741d3d7b698d353

commit 56a964bba1c18210c4d90e5ca741d3d7b698d353 (HEAD -> unreal42, origin/unreal42)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Wed Dec 19 13:02:36 2018 +0100

    Hide remote includes auth information in error messages. Reported by Jellis
    in https://bugs.unrealircd.org/view.php?id=5172

Issue History

Date Modified Username Field Change
2018-12-17 16:08 Jellis New Issue
2018-12-17 17:26 syzop Assigned To => syzop
2018-12-17 17:26 syzop Status new => confirmed
2018-12-17 17:26 syzop Note Added: 0020409
2018-12-17 17:26 syzop Target Version => 4.2.1
2018-12-19 13:04 syzop Status confirmed => resolved
2018-12-19 13:04 syzop Resolution open => fixed
2018-12-19 13:04 syzop Fixed in Version => 4.2.1
2018-12-19 13:04 syzop Note Added: 0020410
2018-12-19 13:04 syzop Priority high => normal
2018-12-19 13:04 syzop Severity tweak => minor