Username and Password sent as plain text.
Moderator: crythias
-
- Znuny newbie
- Posts: 4
- Joined: 16 Jun 2017, 15:32
- Znuny Version: 5.0.18
- Real Name: Shrinivas Ambat
Username and Password sent as plain text.
We're usning OTRS 5.0.18 version, and the application was recently gone through VAPT. There were few issues in that one of which is username and password sent as plain text. Could anyone help me close this point ASAP.
Re: Username and Password sent as plain text.
use https and not http
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
-
- Znuny newbie
- Posts: 4
- Joined: 16 Jun 2017, 15:32
- Znuny Version: 5.0.18
- Real Name: Shrinivas Ambat
Re: Username and Password sent as plain text.
Even on using https. I can intercept the user credentials using burp suite by creating a proxy.jojo wrote:use https and not http
Re: Username and Password sent as plain text.
I still don't see a real issue here, as man in the middle attacks would also work on other solutions
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
-
- Znuny newbie
- Posts: 4
- Joined: 16 Jun 2017, 15:32
- Znuny Version: 5.0.18
- Real Name: Shrinivas Ambat
Re: Username and Password sent as plain text.
The VAPT team suggested us to encrypt the credentials on login page before sending them to server. And then decrypt the credentials on the server side.jojo wrote:I still don't see a real issue here, as man in the middle attacks would also work on other solutions
Re: Username and Password sent as plain text.
Feel free to submit your idea via ideascale or send a pull request via github
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
-
- Znuny guru
- Posts: 5018
- Joined: 13 Mar 2011, 09:54
- Znuny Version: 6.0.x
- Real Name: Renée Bäcker
- Company: Perl-Services.de
- Contact:
Re: Username and Password sent as plain text.
How should that help? If there's a man in the middle attack, the attacker could decrypt the data as well. So no security gain.
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
-
- Znuny newbie
- Posts: 4
- Joined: 16 Jun 2017, 15:32
- Znuny Version: 5.0.18
- Real Name: Shrinivas Ambat
Re: Username and Password sent as plain text.
If the creds are encrypted using a strong encryption method such as rsa. And then decrypt it on server side. This is what they have suggested. using a public key encrypt the credentials on client side. and decrypt it using private key on server side.reneeb wrote:How should that help? If there's a man in the middle attack, the attacker could decrypt the data as well. So no security gain.
-
- Znuny guru
- Posts: 5018
- Joined: 13 Mar 2011, 09:54
- Znuny Version: 6.0.x
- Real Name: Renée Bäcker
- Company: Perl-Services.de
- Contact:
Re: Username and Password sent as plain text.
Sure, but if an attacker can control the requests, it can send the browser its own public key. The browser encrypts the login data with the public key of the attacker. The attacker now can decrypt the data using the own private key and reencrypt the data using the OTRS public key and send it to the OTRS instance.
If you want to avoid that scenario, you have to distribute the public key in an other way and store it locally. (e.g. http://openpgpjs.org/) But that means that every user has to do some work when the public key changes....
If you want to avoid that scenario, you have to distribute the public key in an other way and store it locally. (e.g. http://openpgpjs.org/) But that means that every user has to do some work when the public key changes....
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de