Bug 49309 – Opening random computer in UCS shows error dialog with my password

Bug 49309 - Opening random computer in UCS shows error dialog with my password


Summary:	Opening random computer in UCS shows error dialog with my password

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.3
Hardware:	amd64 Linux

Importance:	P5 critical (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-04-17 11:14 CEST by Roman
Modified:	2019-05-29 16:45 CEST (History)
CC List:	2 users (show)

See Also:	46198
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Workaround is available
Max CVSS v3 score:

Attachments
Message displays password in clear text (62.53 KB, image/jpeg) 2019-04-17 11:15 CEST, Roman	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Roman 2019-04-17 11:14:00 CEST

Created attachment 9976 [details]
Message displayed in clear text

It happened second time and second time while colleagues looking over my shoulder. Both embarrassing and now they know my password pattern.

When it happens: when I go to Univention management centre web UI. I go to Computers, open a certain computer and the attached message shows up. It does not happen again if I go to same computer or different computer. 
First time happened yesterday. Second time today. 

Message:
The following empty properties were set to default values in the form. These values will be applied when saving.

    [Advanced settings] - Account - Password: *********


I grepped logs for my password - no results. Any useful logs I can show here?

Comment 1 Roman 2019-04-17 11:15:57 CEST

Created attachment 9977 [details]
Message displays password in clear text

Comment 2 Roman 2019-04-17 11:16:19 CEST

Comment on attachment 9976 [details]
Message displayed in clear text

delete this attachment please, sensitive info

Comment 3 Florian Best

2019-04-17 11:18:45 CEST

Thank you for submitting the bug report.
Can you please give your UCS version including the errata version?
What browser and which browser version are you using?

Did you save your login password in the browser?
I think it is a duplicate of Bug #46198, which is fixed in UCS 4.4.

Comment 4 Roman 2019-04-17 11:20:33 CEST

Please delete Attachment #9976 [details]

UCS version 4.3-3 errata4101

Browser: Firefox 66.0.3 (64-bit)
OS: Linux Ubuntu 18.04.2 LTS

Comment 5 Roman 2019-04-17 11:22:15 CEST

CORRECTION
UCS version 4.3-3 errata410

Comment 6 Roman 2019-04-18 12:50:14 CEST

I can confirm it does not happen in Chrome browser 73.0.3683.103 64Bit

Comment 7 Roman 2019-04-25 11:05:54 CEST

Update:
It appears problem is only with Firefox, and happens if you save your password in Firefox for UCS ("Remember Password" button).

I have removed all my passwords from Firefox saved logins.

It is probably JavaScript code which takes saved logins and uses password to auto fill in forms? Except Chrome browser does not allow it, Firefox does.

Comment 8 Florian Best

2019-04-25 11:10:44 CEST

I will add this bug to our priorization to decide if we backport a fix for UCS 4.3. It's fixed in UCS 4.4 already.

Comment 9 Roman 2019-04-25 11:14:34 CEST

Thanks, I will be upgrading at some point. For now it is fixed with workaround of removing passwords from Firefox.

Comment 10 Ingo Steuwer

2019-05-29 16:45:09 CEST

This is fixed with UCS 4.4, most of our users have already upgraded. As a workaround exists no backport is needed IMHO.