Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#42104] - joomla v4.3.3 /administrator send post body_request user and password plain text

No Code Attached Yet
avatar miavi
miavi
10 Oct 2023

Print username & password in plain text, when use proxypass nginx

on the admin page in the login, when you send the username and password through post, and in nginx you have body_request activated

I clearly show what is important, not the entire log, when XXXXX is username and YYYY is password

{"time_iso8601_custom_format": "\\2023/\\10/\\10 \\11:43:15", "scheme": "https", "status": "303", "request_time": "0.112", "request_method": "POST", "**request_uri": "/administrator/index.php"**, "server_protocol": "HTTP/2.0", "upstream_response_time": "0.112", "http_user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "request_body": "username=XXXXXX&passwd=YYYYYY&lang=&option=com_login&task=login&return=aW5kZXgucGhw&3ff544fd102cae7bc3599cbce8651ed0=1"}

For security not print password in plain text,

Testing only docker oficial image + nginx proxypass

I don't know if this will happen in other more current versions 4.3.4 or 5.x

avatar miavi miavi - open - 10 Oct 2023
avatar joomla-cms-bot joomla-cms-bot - change - 10 Oct 2023
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 10 Oct 2023
avatar miavi miavi - change - 10 Oct 2023
The description was changed
avatar miavi miavi - edited - 10 Oct 2023
avatar SniperSister
SniperSister - comment - 10 Oct 2023

First of all, a public github ticket is not the proper place to report potential security issues, please use security@joomla.org for future findings.

Regarding the acutal finding: "body_request" enables logging of the full request body including potentially included secrets. That's the whole point of that config flag.

So, it's not a Joomla security issue but inteded behavior of a nginx flag.

avatar miavi
miavi - comment - 10 Oct 2023

I didn't know that email for security problems

Anyway, the nginx body_request when entering /administrator logs the password clearly. Other software in the same post request sends the encrypted password

If you consider it correct that a software like Joomla sends the request in clear, no matter how much tls is implemented, I do not see it as very correct.

avatar SniperSister SniperSister - close - 10 Oct 2023
avatar SniperSister SniperSister - change - 10 Oct 2023
Status New Closed
Closed_Date 0000-00-00 00:00:00 2023-10-10 19:23:16
Closed_By SniperSister
avatar SniperSister
SniperSister - comment - 10 Oct 2023

If you consider it correct that a software like Joomla sends the request in clear, no matter how much tls is implemented, I do not see it as very correct.

TLS is transport layer security, so the data is encrypted during transport but unencrypted on the receiving end, so the server. That's again intended behavior.

I can only repeat: this is not a Joomla-related issue, therefore I'm closing the ticket.

Add a Comment

Login with GitHub to post a comment