I just noticed this when we were linking some port error graphs to each other in my team.
Steps to reproduce:
-
you must log out of librenms
-
click a deep-link to a given port graph like:
https://librenms.org/graphs/to=1527146700/id=4003/type=port_errors/from=1527060300/
-
click login when presented with the librenms login screen.
-
click the “year” graph
-
username and password is now displayed in the URL in clear text.
screenshot: https://i.imgur.com/FVZpaVG.png
EDIT: my install has AD/LDAP integration. I’ve replicated this issue on other installs that also have AD integration.
Can’t replicate.
Are you saying you don’t need to login again at any stage?
allright, theres a step 2.5 “click login”
updating OP right now.
Can’t replicate on my server either.
the installs i’ve replicated it across all has AD/LDAP integration.
Can replicate it on all my LibreNMS instances.
1 Like
Issue seems to only exists when Apache is involved and there is a fix which mitigates this issue for now.
https://p.libren.ms/view/raw/0536472c
CLEAN UP YOUR ACCESS LOG IF YOU WERE AFFECTED
1 Like
Thanks @awlx. In my opinion they need to be unset earlier or prevented from being copied to $vars in the first place.
My proposed fix, can you guys test and verify?
