When you add a password reset step using the Active Directory LDAP plugin, it masks the password, but when the job runs it shows that password in plain text. This probably should be obfuscated
Hi @brandon_mcclure, thanks for reporting. At Rapid7, we take information security leaks and other related incidents very seriously and will be pushing out a fix shortly to mask/obfuscate any
password types in the job view. Fortunately, only a very small fraction (I counted 10) of our 300+ plugins do this which is why it has been overlooked, so it’s great that you brought this to our attention.
Thanks again for reporting.
Hey @brandon_mcclure thanks for reaching out. For future reference we have a disclosure process at https://www.rapid7.com/disclosure/ , where you can submit these types of findings to our Security team.
thank you, I will use this next time
Hi @brandon_mcclure, we just released a fix for this. Now we obfuscate all
password types in the job view.
Thanks again for reporting this!
Confirmed and looking good