Issue with password and username getting prefilled in !

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Issue with password and username getting prefilled in !

Post by mojito » Tue Jan 22, 2013 3:10 pm

This is a particularly alarming issue for our clients who use this as an intranet. We have seen an example where the login page 'username' and 'password' get populated automatic at some point we are not sure which.

The issue is its getting populated with usernames from recently registering members and not the user who normally uses this client pc.
So yes the user sees someone else's password pre-filled in (obtainable though addons though masked) and username. And the password has been found to be valid.

Can someone outline what happens via sessions, I am completely baffled as

a) the password is lost after registration to a one way encrypted code
b) the username if saved is saved to a separate remote machine
c) we had already removed the password getting sent via email immediately after registration..

This has happened 3 reported times across the staff members. We dont have screen shots as such but from reliable sources.

The login session time was set at 260 minutes - af inactivity.

The last reported incident was a firefox tab a guy returned to and clicked either login or was redirected as soon as trying to do something within the site to the login with the pre-populated fields.

Many thanks for your K.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14849
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Issue with password and username getting prefilled in !

Post by mandville » Tue Jan 22, 2013 3:38 pm

run and post the fpa,
reduce the session time to a few minutes,
see what that does
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Tue Jan 22, 2013 3:56 pm

We would rather not run the FPA for security reasons on this particular site. Sorry.

We increased session inactivity time to account for people geting phone calls going to lunch part way through a blog or post for example. Its only these 3 cases in as many months so we wont really know if it helps unless it goes way entirely.

But it would be helpful to me to learn what the process is that CAN even cause this -

So I run through checking the authorisation in $app at the next point through the cycle and find the due to the session expiring I am now to be not logged in - fine. So we redirect to the login page

public function authorise($itemid)
{
$menus = $this->getMenu();
$user = JFactory::getUser();

if (!$menus->authorise($itemid))
{
if ($user->get('id') == 0)
{
// Redirect to login
$uri = JFactory::getURI();
$return = (string)$uri;

$this->setUserState('users.login.form.data', array( 'return' => $return ) );

$url = 'index.php?option=com_users&view=login';
$url = JRoute::_($url, false);

$this->redirect($url, JText::_('JGLOBAL_YOU_MUST_LOGIN_FIRST'));
}


and here what is even able to get this foreign data off the site. So can someone highlight even at concept level how sessions work with joomla login ? When we dont even store the password how this is possible - or does the password get stored in a session cookie ?
Last edited by mojito on Tue Jan 22, 2013 11:19 pm, edited 1 time in total.
Check out the 'bad toilet' online !

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Issue with password and username getting prefilled in !

Post by PhilD » Tue Jan 22, 2013 4:50 pm

This is really sounding like normal browser activity in some cases and I have seen it at work with both FireFox and IE and also when using custom login pages for web apps.

Scenario is user 1 enters username and password on a login page, logging in to an area. They then leave browser page and/or tab open, but delete the contents of the user name field leaving page or tab open.
User 2 comes along and if is smart will hit the back page arrow or button in the browser which in some applications will reload the info from the browser session which will repopulate the login information boxes.

A second scenario is that of user 1 is using a common login session (many work environments have general terminals with a common login that is know by everyone) and selected the remember password in the popup in the browser (the one that pops up when entering a username and password in a form). Upon user 2 using the same general session the login info boxes will become prefilled with user 1's login info which user 2 can then use to login as user 1.

You will need to find out more information about their general terminal (browser) usage, their browser setups, their security policies, and if they are using some type of custom login page.

Users should always delete any login information left in boxes and close the tab or browser window that contained private (login) data immediately after use.
They should also manually clear the cache and history of the browser if this is not set up to be automatically done.
The browser should not offer to save any password or user info and users should not have authorization to change that in a work or other public environment.
Users should never save the login info in a browser if the browser offers a popup to save such info.
Users should never leave a session logged in when not at their desk and their computer screen should turn off and should be set to lock after a few minutes of inactivity.
The browser config file should be off limits to non administrators so that any changes made can not be easily bypassed.

It sounds as if your using stock unmodified browser installs, not preventing the save password popup, not automatically clearing private data from browser upon close, using the same browser profile for everyone who uses the computer, using very minimal if any security policies, and allowing users to dictate computer usage policies through complaints like "I don't want to log back in after lunch."
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Tue Jan 22, 2013 5:14 pm

This user details were coming from a registration 100's of miles away no computer in this case is public. Yes there are many plenty of good tips here and the company are restricting the use of the browser, clearing the cookies is not happening.

What no one still gets is how this user details including password- WHO DID NOT GET ACTIVATED ! can appear on a computer hundreds of miles away. But thanks for the insight.

In the case that the user didn't get ACTIVATED but was registrered what cookies are created at this point for this user with the site.

Is there a table where I can take a look at some sample session data (is it a database session ?)

----------------------------
from the model I can see this where potentially prepopulation could occur - or ceratinly session stuff

com_users/model/login.php

Code: Select all

protected function loadFormData()
	{
		// Check the session for previously entered login form data.
		$app	= JFactory::getApplication();
		$data	= $app->getUserState('users.login.form.data', array());
		print_r($data);
the above usually just has a return path in it which is where we would redirect after a success login.
Last edited by mojito on Wed Jan 23, 2013 8:32 am, edited 1 time in total.
Check out the 'bad toilet' online !

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Tue Jan 22, 2013 11:28 pm

I am wondering why during registration the following model file isn't run, again to help me understand the above problem.

com_users/models/registration.php

this binds and saves the form data to the database and does the activation if needed.

on line 317 of this file we start with
$data['password'] = $data['password1'];

so at this point not encrypted then we do a

if (!$user->bind($data)) {

attaching the non encrypted password to user because $data['password'] --non encrypted

so to my mind we have not stored the encrypted password !

if (!$user->save()) {
we store the data...

in between these 2 steps we run user plugin for something

JPluginHelper::importPlugin('user');

but looking at the database my password is encrypted and I cant output anything here as if this code isnt run ? The template isnt overriding either.
Check out the 'bad toilet' online !

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Issue with password and username getting prefilled in !

Post by PhilD » Wed Jan 23, 2013 5:01 am

Please run the FPA script http://forum.joomla.org/viewtopic.php?f=621&t=582860 on the site in question and post the generated results so we may see the sites environment and some details about the site.

There are extensions that replace, or use their own login module and not the Joomla default login module or page. The Joomla core login works properly and if possible should be used and not modified as modifications may make it insecure. Using non core Joomla login

Just so you understand basically how the Joomla passwords work, the site user wishing to login enters a user name and password in a form. This information is recorded in variables upon form submission and the user name is looked up in the database. If a username match is found then the salt from the usernames password is added to the entered password text. This new 'password' is then md5 encrypted and compared to the stored md5 encryption in the database for that username. if there is a match then the username is allowed to be logged into the site at the user level assigned to that username.

See: http://api.joomla.org/Joomla-Platform/U ... elper.html

You can not in general decode the md5 password, you can only compare as I described above.

If there are registrations from hundreds of miles away, are they from a satellite office or are they from someone unknown? Generally an intranet (internal network) is supposed to be internal only and not reachable from the web otherwise it is not an intranet.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Wed Jan 23, 2013 8:26 am

Firstly thanks for posting some info of help I will address each of your points

Please run the FPA script viewtopic.php?f=621&t=582860 on the site in question and post the generated results so we may see the sites environment and some details about the site.

I cant get clearance to run something like this - security is not allowed -this has been a big problem for me in getting help I know I wish it were different but I am serious about protecting these server environments. This is why I need o go through and provide debug and look at specific code examples here. I hope people can understand this and not just say well thats our policy so we wont now help you. I can say that I have checked the overrides in the rockettheme template and there are none for the com_users, we also run jomsocial and this login and registration isn't used.

The command cycle that has the issue is index.php? component =com_users?task= login So I am looking at all the executing code to find out if we are looking for sessions (I don't have much knowledge of them). Sessions in our site are stored on the database, I have looked at a few in the database and they dont look like they store passwords unhashed which is what I suspect. The sessions should not contain ANY password info IMO. A session should be about state. I could understand a user getting someone elses username sent over if it got the sessions mixed up but not a valid password.

So if anyone knows what sessions are happening and how they are working this would be helpful to me, thanks.

We are eliminating extensions from the system as much as possible - we use easyblog jomsocial rsforms and thats it. Otherwise we are also not allowing core modifications to the code base so we can run upgrades normally without fear. So at this stage I know there are NO core code mods.

Thanks for confirming what I knew about the passwords - one way encrypted and in this case I am 'confidant' the users password which pre populate the other remote users login box didn't therefore come from the users table. Hence why we are looking at sessions and the registration / login code to see as (THIS IS THE ONLY PLACE THE USER INPUTS IT (AND LOGIN)).

Thanks for the helper class link - the only one I am foggy on is getSalt - I thought salt was simply a random input to help generate the encrypted password MD5 as default. I guess that in order to get the same encryption we need to know the same salt each time to get the same generation..
If there are registrations from hundreds of miles away, are they from a satellite office or are they from someone unknown? Generally an intranet (internal network) is supposed to be internal only and not reachable from the web otherwise it is not an intranet.
They are from a satellite office from someone known, who they day before (this bug showed) registered and did not activate the account. A non activated account still has everything a normal account does in the user table just the activation field is not set.
You are right to pull me on the semantics yes strictly (even genrally) speaking what we have here is an extranet.

So for me at this stage the things unclear are

Sessions - how they are working, we are using database ones and do they link to session cookies by an ID.
How a password can get into this field ? - javascript of rendering the field with value='content' from the php direct, or browser doing work I guess using its own javascript ? the browser password remember for example or address population tools are able to do this.

Thanks again for your valued sanity checks and input. This is VERY CRYPTIC anyone know colombo's email ?
Check out the 'bad toilet' online !

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Issue with password and username getting prefilled in !

Post by PhilD » Wed Jan 23, 2013 5:52 pm

Well...., ok. The FPA does not present any really sensitive information such as passwords or user info, and you can manually remove the site url's and alter path info if needed before submitting the post. If your prohibited from running the script then don't get fired. Is it possible to run any type of diagnostic script on the site?

I actually think there is a simple configuration error somewhere that is causing this. There is also a possibility of a hack causing this, but at this point I don't think so.

This is what is supposed to happen and is taken from a 3.0 default demo site. The information should be the same or nearly the same as the 2.5 sites operation in the basic login and user aspect.

A site visitor registers using the registration link.

The newly registered user that has not activated an account should get this error if they try to login and have not yet activated through the link sent to them via email.
Error
Login denied! Your account has either been blocked or you have not activated it yet.
The normal automatic email sent to a user registering would be something like this:
Hello test,
Thank you for registering at New 30 Demo. Your account is created and must be activated before you can use it.
To activate the account click on the following link or copy-paste it in your browser:
http:// mysite.com/mysite3/index.php?option=com_users&task=registration.activate&token=15a0374667d19e5714bda7ac0db30f33

After activation you may login to http:// mysite.com/mysite3/ using the following username and password:
Username: test
Password: test12
The token is recorded in the database user table under the newly registered users id and username and the block option is set for that username. The block is removed from the username if the new user uses the link emailed to them and the token matches.

The newly registered account is placed as a member of the registered group and upon successful activation will become an active (non blocked) member of the registered group.

The session table only basically contains active login sessions (timers) and associated user id, user name for users. Visitors not logged in (Guests) are included in the table along with timers so extra guests get removed after a time period of inactivity expires thus changing the guest online count. The table does not contain any passwords in a clear or hashed (encrypted) form. The cookies stored on a local browser do not contain any login information and are generally removed after use.

According to the api stuff, the only times a password is in clear text is when a user changes their password using the user manager (the entered and submitted password is in clear text until it can be encrypted) and when a user initially enters the text on the login form up to the point it is received from the browser by the joomla site and encrypted for comparison to the value in the database user table. Once logged in and for basically everything else the password is not needed as the user level permissions is used.

The salt is randomly generated the first time and is stored in the database user table in the form of password:salt
If the salt was randomly generated every time, then the entered password would never encrypt to what was stored in the database and the login would always fail. So password part goes: clearpassword + salt = newpassword if encrypt(newpassword) == existingpassword encryption then allow login to proceed else error.

Based on some previous experiences, ( I don't use joomsocial so someone else will need to step in here and correct me if needed), joomsocial integrates itself rather deeply into the Joomla user environment and does things to Joomla to facilitate a social (think facebook) type environment. Some of which could be registering a new user registration to a level which could be or could have the same rights as the employees level, or not blocking or requiring an activation (immediate activation). This could be your source of the problems. Any extension that you do not actively use should be uninstalled and then removed completely.

You could also have the user manager options set incorrectly under the global configuration allowing for registration and placing into the wrong group.

I would not allow any self registration at all on a work site. (turn off the option to do so) and I would add any new accounts as needed manually to the site using the admin interface. Yes, people who forget their password and need a new one or are new and need access have to contact you or be entered first into the system, but that is minor.

I would also make all employees a new group and assign most of the site to the employee level group and not have them belong to the registered group.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Wed Jan 23, 2013 6:31 pm

Is it possible to run any type of diagnostic script on the site? - I might be able to run something local (but then it isn't a true test though could be revealing).

All great points in your post MANY thanks wish joomla.org forum supported the buy beer widget so I can thank you - helps confirm my thinking exactly and with my sanity.

I have proved that user plugin (core) root/plugins/user/joomla.php is persisting user['password'] in public function onUserLogin(
Obviously not a problem in its own right - so will carry on with this dissection. BUT if we already stored the password perhaps we could delete this variable ! As it exists in $user - I still have a massive leap to know that an id could be confused by the system. It certainly seems to fit with what the user saw. BUT I didn't see any code that populates the username or password field from joomla.
What I HAVE seen and had myself was a cookie variable that pre populated on of the admin filter fields backend - crashing it ! So modern browsers might be able to do this.

When a user clicks on remember me what happens in reality ? I will look at that later.

What I agree from what you say is that the session isn't saving this to the table, so I am trying hard to see if there are any OTHER sessions that can get an erroneous id and return the wrong $user back...

We ARE using SSL btw, forgot to say.
Check out the 'bad toilet' online !

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Wed Jan 23, 2013 6:55 pm

To my knowledge the folowing two urls are different cycles and stateless normally, so we input password into the first ok fine..

/index.php?option=com_users&view=login

the password goes off and gets checked against the stored hash...how come the following page (cycle) can get the clear password ?

/index.php?option=com_users&view=profile

in this page $user['password'] is available but I dont get HOW - is it native php session persisting it...its not in the db session table for sure...
Check out the 'bad toilet' online !

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Issue with password and username getting prefilled in !

Post by PhilD » Thu Jan 24, 2013 12:02 pm

when the user requests to view the profile and they decide to change their password by entering a new password, then and only then would a user have a clear text password

"...how come the following page (cycle) can get the clear password ?" the only way a clear password can be had is if the browser or server is caching the page. Browsers do that especially IE. Hitting the back button or requesting a page refresh would reload the form and the information in the form fields. If you have caching turned on in Joomla you should not be caching any user profile or login/logout pages. This is also why users concerned about information disclosure should always delete and close the tab or page when done.

Though I'm sure you know this, it is very common for variables to be reused within code multiple times and sometimes what looks like an issue is just a variable being looked at out of context of the code.

I would suggest though that if you are sure you have found an issue that is caused by Joomla and not normal browser usage and it can be reproduced, that the JSST be informed about it so it can be looked into further. There should be no persistence of a clear text password after the point where it is no longer needed.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Thu Jan 24, 2013 12:40 pm

"...how come the following page (cycle) can get the clear password ?" the only way a clear password can be had is if the browser or server is caching the page.

I would have thought so too - but if you echo out $user['password'] then the value is available on this new page server side so not cached by the browser. No it isn't output but the variable isn't dead yet and has been retrieved from the session cookie or other it isn't in the session table so there MUST be another occurrence cached on the server. And this COULD be sent to the client browser.

isn't cached on the server the same as session idea !

anyway the bigger deal is HOW does it get the session mixed up, after the user left the tab open and session expired it would get deleted out of the table, the cookie might also have been deleted by time. Or if the cookie remained with an id matching a new session id of someone else then the session gets returned to the client and the password (which should have been deleted) would not be present perhaps even though the wrong username is sent back.

Thanks again all valid points - I will if I can prove anything and it makes sense contact JSST.
Check out the 'bad toilet' online !

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Issue with password and username getting prefilled in !

Post by PhilD » Thu Jan 24, 2013 9:02 pm

I believe that Firefox will display the DOM of the previous page as it was before the page was left. In other words all the form data will still be contained in the form's input fields. This is because Firefox will generally keep the page itself alive for longer than it's on the screen, but will eventually expire it.

IE will work in a similar matter and will retain form contents on a back button click automatically, as long as:

you haven't broken cacheing with a no-cache, apache url rewrite or similar
the form fields are not dynamically created by script (which they are not)

This is pretty much expected behavior as people have come to expect that form data will remain if they move off the form page for some reason then move right back back to the form.

Headers output by the template can also affect how browsers interact with form fields as can program cache options.

As stated before neither the browser cookies nor the session table
store any password data and so can not be a source of a clear password.

I do not know enough about how long (probably for duration of the 'session' as determined within the global options for the config.php) the core code will keep a variable data itself but in general the following should be basically true.

PHP variables will persist for the lifetime of the script running through the interpreter. In the case of a web request, this is the lifetime of handling the requests. It does not matter how the requests are presented (php, ajax, etc) to the server, as they are handled the same and survive until the script terminates after handling the request.

The life span of PHP (and its variables) over a request would then be something like this:

A request is sent to server, whether by user, ajax, curl, PHP or some other effective way. This would be the request to login.

The PHP script is executed into interpreter memory, (This is eventually going to be the login page the viewer sees.) whether as a module on your web server, a CGI worker process, or other options depending upon the type of the request.
The script is then executed, and a response to the request is created and sent back. The viewer sees the login form.

In some cases the script continues to execute some job (could be a wait) until eventual termination, at which time all variables associated with the script will die with it.

So I would say that yes it is possible to have a variable that if not explicitly being destroyed by the running script after use of the variable is no longer needed to contain data in clear text. Terminating the script will destroy the data held within variables of the script. At what point the script is actually terminated from memory would be the question. Of course if the browser still has a copy of the script then the data can be submitted again restarting and repopulating the script variables on the server.

I would say there is nothing explicitly wrong with the way the login form operates or is handled internally and that you should find where the cache data is and prevent that.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Fri Jan 25, 2013 9:19 am

One http request cycle is unrelated to another and this is what the majority of hackers try and exploit as we try to 'keep state' they jump on your session or at least try. Any php variable would have been killed I would have thought but it doesn't appear to work exactly like this (as above I have seen $user object persist a password from a separate request). I have read what you say and mostly agree sounds reasonable. The password in the unrelated script could be gotten from the cookie set by remember me, I have not got that far yet.

Further research from yesterday I can confirm that if you DO click remember me then password is saved into it (the cookie) and it IS 2 way encryption ! See below the remember plugin checks the cookie and logs you in !

Code: Select all

$app->login($credentials, array('silent' => true))

Code: Select all

 if (is_array($credentials)) {
                    if (isset($cookieData['username']) && is_string($cookieData['username'])) {
                        $credentials['username'] = $filter -> clean($cookieData['username'], 'username');
                    } else {
                        $goodCookie = false;
                    }
                    if (isset($cookieData['password']) && is_string($cookieData['password'])) {
                        $credentials['password'] = $filter -> clean($cookieData['password'], 'string');
                    } else {
                        $goodCookie = false;
                    }
                } else {
                    $goodCookie = false;
                }

				if (! $goodCookie || !$app->login($credentials, array('silent' => true))) {
					$config = JFactory::getConfig();
					$cookie_domain = $config->get('cookie_domain', '');
					$cookie_path = $config->get('cookie_path', '/');
					// Clear the remember me cookie
					setcookie(
                        JApplication::getHash('JLOGIN_REMEMBER'), false, time() - 86400,
                        $cookie_path, $cookie_domain
                    );
				}

I was thinking that this filled in the password box but this doesn't seem to be the case (test this by deleting saved passwords and play with it) as I found no php nor javascript that populates the boxes username and password.

OUTSIDE OF JOOMLA
I am now looking into the browser behaviour save password - where is this stored depends on the browser, for mac and chrome this is key chain for this case I want to make sure that we are storing it locally. What happens suggests that its getting this password and user from a centralised storage place, maybe not Joomla though I have cited potential security measures that could be improved. The cookie doesn't need to hold the password - its not used to populate the password field at least from my own research which I feel is good but CONCRETE is another matter.

Thanks again to all reading and Phil especially.
Check out the 'bad toilet' online !

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Tue Apr 30, 2013 12:37 pm

Found out where this was happening - the app giving up the user data (mixed session !) in the user component model function loadFormData

$data = $app->getUserState('users.login.form.data', array());

if you pre this data out you will see the password in clear text ! YIKES that shouldnt happen.
Check out the 'bad toilet' online !

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14849
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Issue with password and username getting prefilled in !

Post by mandville » Tue Apr 30, 2013 1:29 pm

if you think its a bug then pass to the jbs,
if you think its something more serious then contact the jsst at developer.joomla.org/security
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Tue Apr 30, 2013 1:50 pm

this post is my report to the team.
Check out the 'bad toilet' online !

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14849
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Issue with password and username getting prefilled in !

Post by mandville » Tue Apr 30, 2013 2:21 pm

bug and core security issues are only accepted and recognised via the appropriate forums or link to follow the proper process chain.
http://forum.joomla.org/viewforum.php?f=579 for Joomla Bug Squad
and devleoper.joomla.org/security for JSST over core issue concerns
they are monitored by dedicated teams,
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Wed Nov 05, 2014 7:33 am

jomsocial may be the culprit here - I have seen this now on another separate site. Its all updated correctly as well. Google chrome is the offending browser for me.
Check out the 'bad toilet' online !

elliottbenzle
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Nov 06, 2011 8:04 am

Re: Issue with password and username getting prefilled in !

Post by elliottbenzle » Wed Dec 03, 2014 6:22 pm

Hi, I had this same problem with a site running Joomla 3.3.6 and JomSocial. It's very difficult to track down, since it happens very infrequently and I haven't been able to duplicate it myself.

My best guess is that the login view of the users component is passing in the raw password of a user. The page then gets cached by Joomla and subsequent visitors to that page will see the cached version of the page which contains a username and password.

I'm not sure if it worked, but here's what I did:

Edited /components/com_users/models/login.php
line 32: changed $loadData = true to $loadData = false
public function getForm($data = array(), $loadData = false)

That prevents the raw password from being sent to the page. It's a core hack, so you'll need to be careful of any updates.

I also installed the 'kCache Improved' plugin and set the com_users component to not cache.

Since making those changes I haven't had any more reports of similar problems.

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Wed Dec 03, 2014 10:40 pm

Thanks for posting - I am getting ready to ditch jomsocial tbh - I find their support less than helpful for this. But it is a big worry the other stuff in here about the password and I wish the core Joomla team would investigate further. I get maybe an hour every weekend to look at updates and issues. I simply don't have the time needed to keep a joomla site running. But google dont want hobbyist sites running anyway. So its all kinda mute point.
Check out the 'bad toilet' online !

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 703
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: Issue with password and username getting prefilled in !

Post by mojito » Thu Dec 04, 2014 10:48 pm

yep its all documented here ! still happening
Check out the 'bad toilet' online !


Locked

Return to “Security in Joomla! 2.5”