Bug 48687 – univention-join -verbose exposes admin password

Bug 48687 - univention-join -verbose exposes admin password


Summary:	univention-join -verbose exposes admin password

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Join (univention-join)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal with 1 vote (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-02-15 10:03 CET by Christian Völker
Modified:	2020-07-06 16:33 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019021421000413
Bug group (optional):	Security, Troubleshooting
Max CVSS v3 score:	4.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Völker

2019-02-15 10:03:13 CET

univention-join has the "-verbose" flag to enable verbose logging.

This appears to be done by simply setting a "set -x" at the beginning of the script.

Unfortunately this exposes the administrator password which is then written several times to the join.log file.



This is no good, even not when being aware of it.

"-verbose" should log verbose output without the password.