Comments (7)
benmap-brex. I am unable to follow how this can happen on default configuration. (no logs exposed). Can you please elaborate?
from keymaster.
Hey, not sure what the default config is, but usernames are not HTML encoded when reflected into the /logs endpoint on port 6920. If an attacker POSTs to the login endpoint with a username containing HTML it will show up in the logs, as shown in the screenshot above.
from keymaster.
I agree with you... @rgooch : this is what happens when templates are not used. Since this happens only when public logs are enabled (non default) I am accepting this as bug, but making this a medium issue.
from keymaster.
I updated the impact and accepted this as bug
from keymaster.
Thanks for checking into this! Again, didn't know it wasn't a default config 👍
from keymaster.
Given this was exposed with a non-default configuration, is there anything we should/can do here?
@cviecco: I'm not sure what the relevance of templates vs. not using templates is. The /log
endpoints dump the contents of the log files and the in-memory log buffer. I don't think the logs should be processed in any way by this endpoint.
from keymaster.
I've merged code (Cloud-Foundations/Dominator#49) which escapes HTML sequences in the logs display. Anyone building from HEAD will have this fix. I think that completes the source code side of this, so closing. Please re-open if you disagree.
from keymaster.
Related Issues (20)
- Support openid PKCE code flow (RFC 7636) HOT 1
- Older Yubikeys do not work (but work elsewhere with U2F!)
- Gnome Loads Bad Keys
- SameSite Unset in auth_cookie HOT 1
- Fix test regression on moving location of temporary keymaster cert. HOT 1
- cloud-foundations.org has been lost? HOT 3
- When using okta, the UI does not mention that a push has been sent (web). HOT 1
- oauth2 login loses openid_connect_idp redirect destination HOT 3
- newer Firefox fails to attempt U2F validation
- FEATURE REQUEST: Make "needs bootstrap flow" explicit. HOT 2
- FEATURE REQUEST: Copy button on a token webpage (keymaster 1.9.1)
- U2F redirect comes w/ semicolons HOT 5
- Chrome 96 - U2F being deprecated. HOT 2
- Generate Keymaster CA to be used as client only certificates HOT 5
- AJAX requests with the oidc golib and keymaster HOT 2
- Yubikey fails first time with Mac client HOT 1
- keymaster cli doesn't work w/ keymaster behind AWS ALB HOT 2
- github.com/duo-labs/webauthn is deprecated
- difficulty enrolling Yubikey HOT 1
- Keymaster timing out on RDS access HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keymaster.