Ticket #3735 (closed Bugs: fixed)

Opened 9 months ago

Last modified 7 months ago

Weak password module is e-mailing passwords

Reported by: jmullinix Assigned to:
Priority: major Milestone: 2.6
Component: Online Support Version: 2.5-branch
Keywords: Cc:
Confirmation: Need Feedback SVN Revision (if applicable): 7968
Backend Engine: All Backend Engine Version:

Description

This has to be a bug or a very poorly thought out feature. I added the weak passwords module this afternoon and this evening, my PBX sent me an e-mail telling which extensions had weak passwords. That is a little iffy, but tolerable. The problem is the server also told me what the weak passwords were. That is not good. The phone system sent me an email with the extension number and its weak password.

Change History

06/25/09 12:04:24 changed by p_lindheimer

  • owner deleted.
  • confirmation changed from Unreviewed to Need Feedback.
  • component changed from - choose - to Online Support.

I saw something about this before but it finally clicked (I couldn't figure out why people said they were getting email send when the module does not send email).

the freepbx-cron-schedule.php, which does things like send out the notification for updates, also sends out any notification that is marked as a security notification. This leads to some questions:

  • Are you getting the email resent every night, or just once?
  • Should we send Security Notifications?
  • If yes to the above, then should the weak password be tagged as a different type of notification then security?

My opinion is that it should be a security warning that is emailed once, though, I could see how emailing the details of the issue (e.g. the passwords that are insecure) could be problematic as in a worse security situation. The current mechanism just sends all the details in the notification. The original intent was to send a warning if we saw some security issues but didn't expect that the very notification would have sensitive information in its content.

So ... feedback?

06/29/09 04:57:32 changed by jmullinix

Thanks Philippe,

I have only received it the one time. It is not being sent each night. I think you should send security notifications, but weak passwords is a challenge. I think it is fair, even a neat feature for the PBX to send a notice about passwords being weak. Just don't include the password. I also had that module flag one of my passwords as weak for having double letters in an otherwise very complex password. It flagged it as weak but it wasn't.

It did send it via regular e-mail. That question was asked in the forums.

06/29/09 10:54:10 changed by p_lindheimer

John,

well the dillema is this, the mechanism sends any update that is a security warning, if it is posted in the notification box, that exact message is sent. We could make it another type, or we could do the 'much harder' thing of modifying the notification mechanism to add a tag of whether or not the message should be sent. The latter case is much more work effecting many more places and is thus less likely to occur.

As far as the complex password that it flagged as bad, if you could file a separate bug on that, giving the password (well an equivalent one that you don't plan on using) that is creating the error, that would be helpful and we can look at the regex that is deciding that is bad. (Or better yet, if you want to have a look at the code and propose a patch, that will also be well received...)

06/30/09 04:09:19 changed by jmullinix

Philippe,

Could the weak password module be modified to not include the weak password anywhere? That way, the notification would appear on the screen, but the password would not. That should also eliminate it from the security e-mail.

I am not terribly familiar with FreePBX code and its layout, but I will take a look a the weak password module and see if I see a workaround. It won't happen until tomorrow, however.

06/30/09 07:20:39 changed by p_lindheimer

Jmullinix,

sure it could be removed and then would not appear in the notification. However, I don't like that solution. I think it is very useful to be put in the dashboard notification and not require you to go to the module page to see the weak passwords. Of course that creates another dilema. We probably want that message to contain the weakpassword info while the email not to but still be sent telling you that you have an issue.

I guess another argument could be made that, if you have weak passwords and it is emailed to you, then you probably want to fix the issue quickly thus the email does not matter so much (as it is, a lot of sites will email you a forgotten password if you ask, though that is not the most secure as well). If it turns out that the weak password is from a carrier out of your control, and you care (since you are running the module) then it would be further motivation to get the carrier to get a decent password or find service elsewhere...?

07/23/09 14:09:11 changed by cards1007

I'm of the opinion that knowing what the weak password is doesn't provide any benefit. If the module explains what is wrong with the password (ie; Extension: 555 => Secret less than 6 digits), that is enough information to know that you need to set a new password.

07/23/09 14:26:17 changed by p_lindheimer

cards1007,

I think you put the right perspective on it. Nothing like a simply solution. If one of the devs out there feels like modifying this to do that or someone wants to submit the patch file, I'll be happy to make the change and get it in.

08/03/09 12:28:32 changed by jjshoe

  • svn_rev set to 7968.

done in r7968

08/07/09 15:20:26 changed by p_lindheimer

  • status changed from new to closed.
  • resolution set to fixed.

(In [7969]) Merged revisions 7967-7968 via svnmerge from http://svn.freepbx.org/modules/branches/2.5

........

r7967 | jjshoe | 2009-08-03 12:19:34 -0700 (Mon, 03 Aug 2009) | 2 lines

fixes #3611, fixes #3435, fixes #3317, fixes #3307 Fixed pattern matching to prevent deadly parked call loop

........

r7968 | jjshoe | 2009-08-03 12:28:18 -0700 (Mon, 03 Aug 2009) | 4 lines

fixes #3735 Don't send the actual secret in the email

Also warn if a secret is blank.

........