Username and password being displayed in URL

I just noticed this when we were linking some port error graphs to each other in my team.

Steps to reproduce:

  1. you must log out of librenms

  2. click a deep-link to a given port graph like:

  3. click login when presented with the librenms login screen.

  4. click the “year” graph

  5. username and password is now displayed in the URL in clear text.


EDIT: my install has AD/LDAP integration. I’ve replicated this issue on other installs that also have AD integration.

Can’t replicate.

Are you saying you don’t need to login again at any stage?

allright, theres a step 2.5 “click login”

updating OP right now.

Can’t replicate on my server either.

the installs i’ve replicated it across all has AD/LDAP integration.

Can replicate it on all my LibreNMS instances.

1 Like

Issue seems to only exists when Apache is involved and there is a fix which mitigates this issue for now.


1 Like

Thanks @awlx. In my opinion they need to be unset earlier or prevented from being copied to $vars in the first place.

My proposed fix, can you guys test and verify?