search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.42k stars 4.07k forks source link

Passwords visible in the log after not successfully changing password as admin in the frontend #13630

Closed Patrick-DE closed 3 years ago

Patrick-DE commented 5 years ago

Steps to reproduce

  1. Activate checkHaveIBeenPawned (Frontend)
  2. Change a users password to a unsecure password as a Admin in the Frontend
  3. Check the logs for OC\HintException

Expected behaviour

The password should be stripped from every type of log.

Actual behaviour

The password is stripped in some parts of the log but not all.

Server configuration

Operating system: Ubuntu 18.04 LTE

Snap bundle Nextcloud 14.0.5 Apache 2.4 PHP 7.1 MySQL 5.7 Redis 4.0 mDNS for network discovery

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Where did you install Nextcloud from: Installed snap via installation of ubuntu

Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` Enabled: - accessibility: 1.0.1 - activity: 2.7.0 - calendar: 1.6.4 - cloud_federation_api: 0.0.1 - comments: 1.4.0 - contacts: 2.1.8 - dav: 1.6.1 - federatedfilesharing: 1.4.0 - federation: 1.4.0 - files: 1.9.0 - files_pdfviewer: 1.3.2 - files_sharing: 1.6.2 - files_texteditor: 2.6.0 - files_trashbin: 1.4.1 - files_versions: 1.7.1 - files_videoplayer: 1.3.0 - firstrunwizard: 2.3.0 - gallery: 18.1.0 - groupfolders: 2.0.2 - logreader: 2.0.0 - lookup_server_connector: 1.2.0 - nextcloud_announcements: 1.3.0 - notifications: 2.2.1 - oauth2: 1.2.1 - ownbackup: 18.11.0 - password_policy: 1.4.0 - provisioning_api: 1.4.0 - quota_warning: 1.3.0 - serverinfo: 1.4.0 - sharebymail: 1.4.0 - support: 1.0.0 - survey_client: 1.2.0 - systemtags: 1.4.0 - theming: 1.5.0 - twofactor_backupcodes: 1.3.1 - workflowengine: 1.4.0 Disabled: - admin_audit - encryption - files_external - user_external - user_ldap ```

Nextcloud configuration:

Config report ``` "system": { "apps_paths": [ { "path": "\/snap\/nextcloud\/current\/htdocs\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/snap\/nextcloud\/current\/nextcloud\/extra-apps", "url": "\/extra-apps", "writable": true } ], "supportedDatabases": [ "mysql" ], "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0 }, "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nextcloud", "***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "14.0.5.2", "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtpsecure": "tls", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "587", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***" } } ```

Are you using external storage, if yes which one: local/smb/sftp/... No

Are you using encryption: yes/no No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... No

Client configuration

Browser: Version 71.0.3578.98 (Offizieller Build) (64-Bit)

Operating system: Windows 10.0.17134 Build 17134

Logs

Web server error log

Web server error log ``` No logs ```

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` no app in context OC\HintException: Password is present in compromised password list. Please choose a different password. /snap/nextcloud/10791/htdocs/apps/password_policy/lib/PasswordValidator.php - line 69: OCA\Password_Policy\PasswordValidator->checkHaveIBeenPwned("**EXPOSED_PASSWORD**") /snap/nextcloud/10791/htdocs/apps/password_policy/lib/AppInfo/Application.php - line 49: OCA\Password_Policy\PasswordValidator->validate("**EXPOSED_PASSWORD**") /snap/nextcloud/10791/htdocs/3rdparty/symfony/event-dispatcher/EventDispatcher.php - line 212: OCA\Password_Policy\AppInfo\Application->OCA\Password_Policy\AppInfo\{closure}("*** sensiti ... *") /snap/nextcloud/10791/htdocs/3rdparty/symfony/event-dispatcher/EventDispatcher.php - line 44: Symfony\Component\EventDispatcher\EventDispatcher->doDispatch([ Closure {}], "*** sensiti ... *", "*** sensiti ... *") /snap/nextcloud/10791/htdocs/lib/private/User/Database.php - line 203: Symfony\Component\EventDispatcher\EventDispatcher->dispatch("*** sensiti ... *", "*** sensiti ... *") /snap/nextcloud/10791/htdocs/lib/private/User/User.php - line 265: OC\User\Database->setPassword("Adrian", "**EXPOSED_PASSWORD**") /snap/nextcloud/10791/htdocs/apps/provisioning_api/lib/Controller/UsersController.php - line 515: OC\User\User->setPassword("**EXPOSED_PASSWORD**") /snap/nextcloud/10791/htdocs/lib/private/AppFramework/Http/Dispatcher.php - line 166: OCA\Provisioning_API\Controller\UsersController->editUser("Adrian", "password", "**EXPOSED_PASSWORD**") /snap/nextcloud/10791/htdocs/lib/private/AppFramework/Http/Dispatcher.php - line 99: OC\AppFramework\Http\Dispatcher->executeController(OCA\Provisio ... {}, "editUser") /snap/nextcloud/10791/htdocs/lib/private/AppFramework/App.php - line 118: OC\AppFramework\Http\Dispatcher->dispatch(OCA\Provisio ... {}, "editUser") /snap/nextcloud/10791/htdocs/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App::main("OCA\\Provis ... r", "editUser", OC\AppFramew ... {}, { userId: "A ... "}) OC\AppFramework\Routing\RouteActionHandler->__invoke({ userId: "A ... "}) /snap/nextcloud/10791/htdocs/lib/private/Route/Router.php - line 297: call_user_func(OC\AppFramew ... {}, { userId: "A ... "}) /snap/nextcloud/10791/htdocs/ocs/v1.php - line 82: OC\Route\Router->match("/ocsapp/cloud/users/**SENSITIVE INFO**") /snap/nextcloud/10791/htdocs/ocs/v2.php - line 24: require_once("/snap/nextc ... p") ```

Browser log

Browser log ``` VM658:1 PUT https://**SENSITIVE INFO**/ocs/v2.php/cloud/users/**SENSITIVE INFO** 404 (Not Found) { "users": { "users": [ { "enabled": true, "id": "**SENSITIVE INFO**", "storageLocation": "/var/snap/nextcloud/common/nextcloud/data/**SENSITIVE INFO**", "lastLogin": 1547593387000, "backend": "Database", "subadmin": [], "quota": { "free": 993922899968, "used": 2855213087, "total": 996778113055, "relative": 0.29, "quota": -3 }, "email": "**SENSITIVE INFO**", "displayname": "**SENSITIVE INFO**", "phone": "", "address": "", "website": "", "twitter": "", "groups": [ "**SENSITIVE INFO**" ], "language": "en", "locale": "" }, { "enabled": true, "id": "**SENSITIVE INFO**", "storageLocation": "/var/snap/nextcloud/common/nextcloud/data/**SENSITIVE INFO**", "lastLogin": 0, "backend": "Database", "subadmin": [], "quota": { "free": 993922899968, "used": 13110001580, "total": 1007032901548, "relative": 1.3, "quota": -3 }, "email": null, "displayname": "**SENSITIVE INFO**", "phone": "", "address": "", "website": "", "twitter": "", "groups": [ "**SENSITIVE INFO**" ], "language": "en", "locale": "" }, { "enabled": true, "id": "**SENSITIVE INFO**", "storageLocation": "/var/snap/nextcloud/common/nextcloud/data/**SENSITIVE INFO**", "lastLogin": 0, "backend": "Database", "subadmin": [], "quota": { "free": 993922899968, "used": 11779982167, "total": 1005702882135, "relative": 1.17, "quota": -3 }, "email": "**SENSITIVE INFO**", "displayname": "**SENSITIVE INFO**", "phone": "", "address": "", "website": "", "twitter": "", "groups": [ "**SENSITIVE INFO**" ], "language": "en", "locale": "" }, { "enabled": true, "id": "**SENSITIVE INFO**", "storageLocation": "/var/snap/nextcloud/common/nextcloud/data/**SENSITIVE INFO**", "lastLogin": 0, "backend": "Database", "subadmin": [], "quota": { "free": 5296485036, "used": 72224084, "total": 5368709120, "relative": 1.35, "quota": 5368709120 }, "email": null, "displayname": "**SENSITIVE INFO**", "phone": "", "address": "", "website": "", "twitter": "", "groups": [ "**SENSITIVE INFO**" ], "language": "en", "locale": "" }, { "enabled": true, "id": "**SENSITIVE INFO**", "storageLocation": "/var/snap/nextcloud/common/nextcloud/data/**SENSITIVE INFO**", "lastLogin": 1547641312000, "backend": "Database", "subadmin": [], "quota": { "free": 993922899968, "used": 477908843676, "total": 1471831743644, "relative": 32.47, "quota": -3 }, "email": "**SENSITIVE INFO**", "displayname": "**SENSITIVE INFO**", "phone": "", "address": "", "website": "**SENSITIVE INFO**", "twitter": "**SENSITIVE INFO**", "groups": [ "**SENSITIVE INFO**" ], "language": "de", "locale": "de_DE" } ], "groups": [ { "id": "admin", "name": "admin", "usercount": 1, "disabled": 0, "canAdd": true, "canRemove": true }, { "id": "disabled", "name": "Disabled users", "usercount": 0, "disabled": 0, "canAdd": true, "canRemove": true }, { "id": "**SENSITIVE INFO**", "name": "**SENSITIVE INFO**", "usercount": 2, "disabled": 0, "canAdd": true, "canRemove": true }, { "id": "**SENSITIVE INFO**", "name": "**SENSITIVE INFO**", "usercount": 1, "disabled": 0, "canAdd": true, "canRemove": true }, { "id": "**SENSITIVE INFO**", "name": "**SENSITIVE INFO**", "usercount": 1, "disabled": 0, "canAdd": true, "canRemove": true } ], "orderBy": 1, "minPasswordLength": 8, "usersOffset": 25, "usersLimit": 25, "userCount": 5 }, "apps": { "apps": [], "categories": [], "updateCount": 0, "loading": {}, "loadingList": false }, "settings": { "serverData": { "groups": [ { "id": "admin", "name": "admin", "usercount": 1, "disabled": 0, "canAdd": true, "canRemove": true }, { "id": "disabled", "name": "Disabled users", "usercount": 0 }, { "id": "**SENSITIVE INFO**", "name": "**SENSITIVE INFO**", "usercount": 2, "disabled": 0, "canAdd": true, "canRemove": true }, { "id": "**SENSITIVE INFO**", "name": "**SENSITIVE INFO**", "usercount": 1, "disabled": 0, "canAdd": true, "canRemove": true }, { "id": "**SENSITIVE INFO**", "name": "**SENSITIVE INFO**", "usercount": 1, "disabled": 0, "canAdd": true, "canRemove": true } ], "isAdmin": true, "sortGroups": 1, "quotaPreset": [ "1 GB", "5 GB", "10 GB" ], "userCount": 5, "languages": { "commonlanguages": [ { "code": "en", "name": "English (US)" }, { "code": "es", "name": "Castellano" }, { "code": "fr", "name": "Français" }, { "code": "de", "name": "Deutsch (Persönlich: Du)" }, { "code": "de_DE", "name": "Deutsch (Förmlich: Sie)" }, { "code": "ja", "name": "Japanese (日本語)" }, { "code": "ar", "name": "اللغة العربية" }, { "code": "ru", "name": "Русский" }, { "code": "nl", "name": "Nederlands" }, { "code": "it", "name": "Italiano" }, { "code": "pt_BR", "name": "Português Brasileiro" }, { "code": "pt_PT", "name": "Português" }, { "code": "da", "name": "Dansk" }, { "code": "sv", "name": "Svenska" }, { "code": "tr", "name": "Türkçe" }, { "code": "zh_CN", "name": "简体中文" }, { "code": "ko", "name": "한국어" } ], "languages": [ { "code": "ast", "name": "Asturianu" }, { "code": "id", "name": "Bahasa Indonesia" }, { "code": "ca", "name": "Català" }, { "code": "et_EE", "name": "Eesti" }, { "code": "en_GB", "name": "English (British English)" }, { "code": "es_AR", "name": "Español (Argentina)" }, { "code": "es_CL", "name": "Español (Chile)" }, { "code": "es_CO", "name": "Español (Colombia)" }, { "code": "es_CR", "name": "Español (Costa Rica)" }, { "code": "es_DO", "name": "Español (Dominican Republic)" }, { "code": "es_EC", "name": "Español (Ecuador)" }, { "code": "es_SV", "name": "Español (El Salvador)" }, { "code": "es_GT", "name": "Español (Guatemala)" }, { "code": "es_HN", "name": "Español (Honduras)" }, { "code": "es_419", "name": "Español (Latin America)" }, { "code": "es_MX", "name": "Español (México)" }, { "code": "es_NI", "name": "Español (Nicaragua)" }, { "code": "es_PA", "name": "Español (Panama)" }, { "code": "es_PY", "name": "Español (Paraguay)" }, { "code": "es_PE", "name": "Español (Peru)" }, { "code": "es_PR", "name": "Español (Puerto Rico)" }, { "code": "es_UY", "name": "Español (Uruguay)" }, { "code": "eo", "name": "Esperanto" }, { "code": "eu", "name": "Euskara" }, { "code": "gl", "name": "Galego" }, { "code": "hr", "name": "Hrvatski" }, { "code": "lv", "name": "Latviešu" }, { "code": "lt_LT", "name": "Lietuvių" }, { "code": "hu", "name": "Magyar" }, { "code": "nb", "name": "Norsk bokmål" }, { "code": "ro", "name": "Română" }, { "code": "sq", "name": "Shqip" }, { "code": "sk", "name": "Slovenčina" }, { "code": "sl", "name": "Slovenščina" }, { "code": "vi", "name": "Tiếng Việt" }, { "code": "pl", "name": "polski" }, { "code": "fi", "name": "suomi" }, { "code": "is", "name": "Íslenska" }, { "code": "cs", "name": "čeština" }, { "code": "el", "name": "Ελληνικά" }, { "code": "bg", "name": "Български" }, { "code": "sr", "name": "Српски" }, { "code": "uk", "name": "Українська" }, { "code": "he", "name": "עברית" }, { "code": "fa", "name": "فارسى" }, { "code": "ka_GE", "name": "ქართული" }, { "code": "zh_TW", "name": "正體中文(臺灣)" }, { "code": "af", "name": "af" } ] }, "defaultLanguage": "en", "defaultQuota": "none", "canChangePassword": true } }, "oc": {}, "route": { "name": "users", "path": "/settings/users", "hash": "", "query": {}, "params": {}, "fullPath": "/settings/users", "meta": {}, "from": { "name": null, "path": "/", "hash": "", "query": {}, "params": {}, "fullPath": "/", "meta": {} } } } ```
Mx7ca commented 5 years ago

I can confirm the problem. I created a user with a weak password (for testing purposes) and in the nextcloud.log I can find the password in clear. But in contrary to the TO, I didn't activate the HaveIBeenPwned-Check. Server Configuration: Debian Stretch Nextcloud fresh install via tar.gz (current 14.0.4) Apache 2.4.25 PHP 7.0 MariaDB 10.1 (MySQL 5.8)

Client Configuration: Ubuntu 18.04.1 LTS Mozilla Firefox 64.0 App List: Enabled: - accessibility: 1.0.1 - activity: 2.7.0 - calendar: 1.6.4 - cloud_federation_api: 0.0.1 - comments: 1.4.0 - contacts: 2.1.8 - dav: 1.6.0 - encryption: 2.2.0 - federatedfilesharing: 1.4.0 - federation: 1.4.0 - files: 1.9.0 - files_pdfviewer: 1.3.2 - files_sharing: 1.6.2 - files_texteditor: 2.6.0 - files_trashbin: 1.4.1 - files_versions: 1.7.1 - files_videoplayer: 1.3.0 - firstrunwizard: 2.3.0 - gallery: 18.1.0 - logreader: 2.0.0 - lookup_server_connector: 1.2.0 - mail: 0.11.0 - nextcloud_announcements: 1.3.0 - notes: 2.5.1 - notifications: 2.2.1 - oauth2: 1.2.1 - password_policy: 1.4.0 - provisioning_api: 1.4.0 - serverinfo: 1.4.0 - sharebymail: 1.4.0 - support: 1.0.0 - survey_client: 1.2.0 - systemtags: 1.4.0 - tasks: 0.9.8 - theming: 1.5.0 - twofactor_backupcodes: 1.3.1 - updatenotification: 1.4.1 - workflowengine: 1.4.0 Disabled: - admin_audit - files_external - user_external - user_ldap

PVince81 commented 3 years ago

I've tested with Nextcloud 22.2.0 and even with debug log I didn't see anything logger there, even with the check "HaveIBeenPawned" option on when the error occurs.

So probably the exception is not logged any more now.