starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

User credentials are logged and emailed in plain text if an exception is raised during login #2372

New Issue
Closed
opened 2025-12-29 17:25:24 +01:00 by adam · 2 comments
adam commented 2025-12-29 17:25:24 +01:00
Owner
Copy Link

Originally created by @ben-kuhn on GitHub (Feb 12, 2019).

When LDAP is misconfigured, the stack trace sent to syslog and via email to the configured admins contains the users password in plain text. This is an information disclosure vulnerability as users of the syslog system, email administrators, and anyone configured as a NetBox admin receives a plain-text copy of a users password if LDAP authentication fails.

If a NetBox server was compromised in some other way, the attacker could use this to gather credentials, pivot, potentially escalate privileges, and move throughout the network.

If this were to happen accidentally, the user logging in and seeing the login failure may not know that their password was exposed to users with access to the NetBox system, email system, email archive, or syslog servers and not realize that their password would need to be changed.

Here is an obfuscated snippet from the email I received when encountering this bug:

Exception Type: ImproperlyConfigured at /login/
Exception Value: AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance.
Request information:
USER: AnonymousUser

GET: No GET data

POST:
csrfmiddlewaretoken = 'token'
next = '/'
username = 'myUserName'
password = 'myPasswordInPlainText'

FILES: No FILES data

COOKIES:
csrftoken = 'token'

Environment

  • Python version: 3.6.7
  • NetBox version: 2.5.5

Steps to Reproduce

  1. Install NetBox from git
  2. Configure Admins and Mail settings
  3. Configure Logging
  4. Configure LDAP, but make a mistake somewhere so that authentication will not work
  5. Attempt to log in. Don't use a real password if this is a production environment

Expected Behavior

Errors to be logged and potentially emailed with passwords hashed,obfuscated, or not included at all

Actual Behavior

My LDAP password was emailed in plain text as part of the stack trace to the entire team, as well as logged in the log file locally and on the remote syslog server

Originally created by @ben-kuhn on GitHub (Feb 12, 2019). When LDAP is misconfigured, the stack trace sent to syslog and via email to the configured admins contains the users password in plain text. This is an information disclosure vulnerability as users of the syslog system, email administrators, and anyone configured as a NetBox admin receives a plain-text copy of a users password if LDAP authentication fails. If a NetBox server was compromised in some other way, the attacker could use this to gather credentials, pivot, potentially escalate privileges, and move throughout the network. If this were to happen accidentally, the user logging in and seeing the login failure may not know that their password was exposed to users with access to the NetBox system, email system, email archive, or syslog servers and not realize that their password would need to be changed. Here is an obfuscated snippet from the email I received when encountering this bug: ``` Exception Type: ImproperlyConfigured at /login/ Exception Value: AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance. Request information: USER: AnonymousUser GET: No GET data POST: csrfmiddlewaretoken = 'token' next = '/' username = 'myUserName' password = 'myPasswordInPlainText' FILES: No FILES data COOKIES: csrftoken = 'token' ``` ### Environment * Python version: 3.6.7 * NetBox version: 2.5.5 ### Steps to Reproduce 1. Install NetBox from git 2. Configure Admins and Mail settings 3. Configure Logging 4. Configure LDAP, but make a mistake somewhere so that authentication will not work 5. Attempt to log in. Don't use a real password if this is a production environment <!-- What did you expect to happen? --> ### Expected Behavior Errors to be logged and potentially emailed with passwords hashed,obfuscated, or not included at all <!-- What happened instead? --> ### Actual Behavior My LDAP password was emailed in plain text as part of the stack trace to the entire team, as well as logged in the log file locally and on the remote syslog server
adam added the type: bugstatus: accepted labels 2025-12-29 17:25:24 +01:00
adam closed this issue 2025-12-29 17:25:24 +01:00
adam commented 2025-12-29 17:25:25 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Feb 13, 2019):

NetBox employs the django-auth-ldap library for LDAP authentication. Please raise this issue with that project.

@jeremystretch commented on GitHub (Feb 13, 2019): NetBox employs the [django-auth-ldap](https://github.com/django-auth-ldap/django-auth-ldap) library for LDAP authentication. Please raise this issue with that project.
adam commented 2025-12-29 17:25:25 +01:00
Author
Owner
Copy Link

@ben-kuhn commented on GitHub (Feb 13, 2019):

I opened an issue upstream for this. Issue 114. Jon reports this is an implementation issue and has provided documentation on how to avoid this problem.

@ben-kuhn commented on GitHub (Feb 13, 2019): I opened an issue upstream for this. [Issue 114](https://github.com/django-auth-ldap/django-auth-ldap/issues/114). Jon reports this is an implementation issue and has provided documentation on how to avoid this problem.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#2372
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?