Username and Password sent as plain text.

Moderator: crythias

Post Reply
cyberwalk3r
Znuny newbie
Posts: 4
Joined: 16 Jun 2017, 15:32
Znuny Version: 5.0.18
Real Name: Shrinivas Ambat

Username and Password sent as plain text.

Post by cyberwalk3r »

We're usning OTRS 5.0.18 version, and the application was recently gone through VAPT. There were few issues in that one of which is username and password sent as plain text. Could anyone help me close this point ASAP.
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Username and Password sent as plain text.

Post by jojo »

use https and not http
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
cyberwalk3r
Znuny newbie
Posts: 4
Joined: 16 Jun 2017, 15:32
Znuny Version: 5.0.18
Real Name: Shrinivas Ambat

Re: Username and Password sent as plain text.

Post by cyberwalk3r »

jojo wrote:use https and not http
Even on using https. I can intercept the user credentials using burp suite by creating a proxy.
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Username and Password sent as plain text.

Post by jojo »

I still don't see a real issue here, as man in the middle attacks would also work on other solutions
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
cyberwalk3r
Znuny newbie
Posts: 4
Joined: 16 Jun 2017, 15:32
Znuny Version: 5.0.18
Real Name: Shrinivas Ambat

Re: Username and Password sent as plain text.

Post by cyberwalk3r »

jojo wrote:I still don't see a real issue here, as man in the middle attacks would also work on other solutions
The VAPT team suggested us to encrypt the credentials on login page before sending them to server. And then decrypt the credentials on the server side.
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Username and Password sent as plain text.

Post by jojo »

Feel free to submit your idea via ideascale or send a pull request via github
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Username and Password sent as plain text.

Post by reneeb »

How should that help? If there's a man in the middle attack, the attacker could decrypt the data as well. So no security gain.
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
cyberwalk3r
Znuny newbie
Posts: 4
Joined: 16 Jun 2017, 15:32
Znuny Version: 5.0.18
Real Name: Shrinivas Ambat

Re: Username and Password sent as plain text.

Post by cyberwalk3r »

reneeb wrote:How should that help? If there's a man in the middle attack, the attacker could decrypt the data as well. So no security gain.
If the creds are encrypted using a strong encryption method such as rsa. And then decrypt it on server side. This is what they have suggested. using a public key encrypt the credentials on client side. and decrypt it using private key on server side.
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Username and Password sent as plain text.

Post by reneeb »

Sure, but if an attacker can control the requests, it can send the browser its own public key. The browser encrypts the login data with the public key of the attacker. The attacker now can decrypt the data using the own private key and reencrypt the data using the OTRS public key and send it to the OTRS instance.

If you want to avoid that scenario, you have to distribute the public key in an other way and store it locally. (e.g. http://openpgpjs.org/) But that means that every user has to do some work when the public key changes....
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
Post Reply