search

nilsteampassnet / TeamPass

Collaborative Passwords Manager
https://www.teampass.net
1.67k stars 546 forks source link

Error migratePassword - clear text password in logs #4067

Open sjsarg opened 8 months ago

sjsarg commented 8 months ago

Steps to reproduce

  1. ldap user login on 3.0.6
  2. user change LDAP password
  3. migrate from 3.0.6 to 3.1.1.53
  4. user clear browser cache and try to login (with last ldap password). Can't login
  5. migrate from 3.1.1.53 to 3.1.1.74
  6. user clear browser cache and try to login. Same error

Expected behaviour

Actual behaviour

Server configuration

Operating system: ubuntu 20.04.6 Docker

Web server: nginx version: nginx/1.24.0

Database: percona 8.0.27-18

PHP version: PHP 8.2.7 (cli) (built: Jun 9 2023 00:43:37) (NTS)

Teampass version: 3.1.1.74

Teampass configuration file:

Updated from an older Teampass or fresh install: upgrade from 3.0.6 to 3.1.1.53 upgrade from 3.1.1.53 to 3.1.1.74

Client configuration

Browser: Chrome

Operating system: Ubuntu

Logs

Web server error log

"NOTICE: PHP message: PHP Fatal error:  Uncaught Exception: Password is not correct in /var/www/html/vendor/teampassclasses/passwordmanager/src/PasswordManager.php:77"
"Stack trace:"
"#0 /var/www/html/sources/identify.php(1405): TeampassClasses\PasswordManager\PasswordManager->migratePassword('$2yxxxxx...', 'PASSWORD-IN-CLEAR-TEXT...', 1xxxxxx)"
"#1 /var/www/html/sources/identify.php(1314): finalizeAuthentication(Array, 'PASSWORD-IN-CLEAR-TEXT...', Array)"
"#2 /var/www/html/sources/identify.php(2259): authenticateThroughAD('USER.NAME', Array, 'PASSWORD-IN-CLEAR-TEXT...', Array)"
"#3 /var/www/html/sources/identify.php(328): identifyDoLDAPChecks(Array, Array, 'USER.NAME', 'PASSWORD-IN-CLEAR-TEXT...', 0, '', 3)"
"#4 /var/www/html/sources/identify.php(162): identifyUser('eyXXXX...', Array)"
"#5 /var/www/html/sources/identify.php(194): handleAuthAttempts('eyXXXX...', Array)"
"#6 {main}"
"  thrown in /var/www/html/vendor/teampassclasses/passwordmanager/src/PasswordManager.php on line 77"

Log from the web-browser developer console (CTRL + SHIFT + i)

Insert the log here and especially the answer of the query that failed.
kcbieng commented 7 months ago

4030