oss-sec mailing list archives
Cleartext passwords external services in Squash TM's web interface
From: Guillaume Quéré <guillaume () quere eu>
Date: Thu, 13 Sep 2018 07:48:28 +0200 (CEST)
SquashTM -------- Squash TM is a web interface used to manage test cases. More at: https://www.squashtest.org/en Description ----------- There is a vulnerability in SquashTM's administration panel, where external services (a.k.a. automation servers) are defined: each service's HTML page contains the cleartext password of the service's account. These external services could be anything but a popular example is a Jenkins server. I believe there is no reason that a service should display the password of another service, as this gives an attacker the opportunity to spread laterally. If *anything*, the password should be hashed but then again I fail to see any reason this information should be provided at all in this context. This is somewhat even more exploitable given the fact that Squash's default credentials are admin:admin. Details ------- Here's an example URL: http://localhost:8080/squash/administration/test-automation-servers/1 Here's an extract of the page's source code: <label for="ta-server-password">Password</label> <div id="ta-server-password" class="display-table-cell" style="font-weight: bold;">cleartext_password</div> Scoring ------- Attack vector: network Attack complexity: low Authentication required: yes (admin) Impacts: confidentiality CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Timeline -------- 2018-07-20: Vulnerability reported as a private security bug: https://ci.squashtest.org/mantis/view.php?id=7553 2018-09-11: ACK required from editor 2018-09-13: Disclosure to oss-sec Unsure if I should request a CVE for this? Seems kinda trivial. Guillaume Quéré
Current thread:
- Cleartext passwords external services in Squash TM's web interface Guillaume Quéré (Sep 13)