When LDAP authentication is enabled, but the PHP LDAP extension is not installed or is not working (as could easily happen when upgrading PHP versions) passwords tried in the webui are logged to the librenms log file as plain text as shown below:
#68 {main}
Ch[2019-02-11 14:13:40] production.ERROR: LibreNMS\Exceptions\AuthenticationException: PHP does not support LDAP, please install or enable the PHP LDAP extension. in /opt/librenms/LibreNMS/Authentication/ActiveDirectoryAuthorizer.php:192
Stack trace:
#0 /opt/librenms/LibreNMS/Authentication/ActiveDirectoryAuthorizer.php(214): LibreNMS\Authentication\ActiveDirectoryAuthorizer->connect()
#1 /opt/librenms/app/Providers/LegacyUserProvider.php(186): LibreNMS\Authentication\ActiveDirectoryAuthorizer->bind(‘UserName’, ‘SuperSecretPassword…’)
#2 /opt/librenms/app/Providers/LegacyUserProvider.php(118): App\Providers\LegacyUserProvider->fetchUserByName(‘UserName’, ‘SuperSecretPassword…’)
#3 /opt/librenms/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(352): App\Providers\LegacyUserProvider->retrieveByCredentials(Array)
#4 /opt/librenms/vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php(76): Illuminate\Auth\SessionGuard->attempt(Array, false)
#5 /opt/librenms/vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php(41): App\Http\Controllers\Auth\LoginController->attemptLogin(Object(Illuminate\Http\Request))
Once the PHP LDAP plugin is installed or is working correctly, this doesn’t happen anymore.
This is an information leakage vulnerability as a user with access to the system could interfere with the PHP-LDAP plugin and cause user credentials for other systems to be exposed plain-text before any hashing occurs.