Actions
Task #2958
openConfidential attributes of an user account can be displayed through accounts agenda
Start date:
09/20/2021
Due date:
% Done:
0%
Estimated time:
Owner:
Description
When I display the account on a system agenda, e.g. https://172.31.255.123/idm/#/system/f007c3d4-5e50-49ce-8fd2-09564b7afcb3/accounts and I click a user, I can get to the value of userPassword
attribute:
userPassword e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9
Fortunately, it is a hash, but (as you can see here) it is only SHA so not really a strong one. The target system is some OpenLDAP connected with LDAP connector. Given some more funky target system (as some custom-tailored / archaic systems tend to be) there is a risk that IdM would be able to display user passwords through the account agenda.
Problem is that although connector does not return confidential attribute __PASSWORD__
(which comes from mapping), it still returns userPassword
(which comes from schema). IdM loads accounts from target system using system schema.
In the above example, the userPassword
attribute has those two settings enabled: "returned by default", "can be read". Changing their setting does not affect reported behavior in any way.
- When reading data from connector into IdM, filter out schema attribute values when they are not "returned by default" so they do not propagate further.
- Alternatively, filter them in such a way that they at least do not propagate to FE.
There was a brief discussion on slack regarding this (link below).
Related issues
Updated by Petr Fišer almost 3 years ago
- Assignee deleted (
Vít Švanda) - Target version set to 12.2.0
Updated by Roman Kučera over 2 years ago
- Target version changed from 12.2.0 to 13.0.0
Updated by Tomáš Doischer over 2 years ago
- Related to Feature #3164: New account detail added
Updated by Tomáš Doischer about 2 years ago
- Target version changed from 13.0.0 to 12.4.0
Updated by Tomáš Doischer almost 2 years ago
- Target version changed from 12.4.0 to 13.1.0
Actions