[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Cleartext passwords external services in Squash TM's web interface
From: Guillaume_Quéré <guillaume () quere ! eu>
Date: 2018-09-13 5:48:28
Message-ID: 1055142734.297784.1536817708481 () email ! 1and1 ! fr
[Download RAW message or body]
SquashTM
--------
Squash TM is a web interface used to manage test cases. More at: https://www.squashtest.org/en
Description
-----------
There is a vulnerability in SquashTM's administration panel, where external services (a.k.a. \
automation servers) are defined: each service's HTML page contains the cleartext password of \
the service's account. These external services could be anything but a popular example is a \
Jenkins server.
I believe there is no reason that a service should display the password of another service, as \
this gives an attacker the opportunity to spread laterally. If *anything*, the password should \
be hashed but then again I fail to see any reason this information should be provided at all in \
this context. This is somewhat even more exploitable given the fact that Squash's default \
credentials are admin:admin.
Details
-------
Here's an example URL: http://localhost:8080/squash/administration/test-automation-servers/1
Here's an extract of the page's source code:
<label for="ta-server-password">Password</label>
<div id="ta-server-password" class="display-table-cell" style="font-weight: \
bold;">cleartext_password</div>
Scoring
-------
Attack vector: network
Attack complexity: low
Authentication required: yes (admin)
Impacts: confidentiality
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Timeline
--------
2018-07-20: Vulnerability reported as a private security bug: \
https://ci.squashtest.org/mantis/view.php?id=7553
2018-09-11: ACK required from editor
2018-09-13: Disclosure to oss-sec
Unsure if I should request a CVE for this? Seems kinda trivial.
Guillaume Quéré
[prev in list] [next in list] [prev in thread] [next in thread]