Reset Password Action in Active Directory LDAP Shows password in plain text in Job

When you add a password reset step using the Active Directory LDAP plugin, it masks the password, but when the job runs it shows that password in plain text. This probably should be obfuscated

Hi @brandon_mcclure, thanks for reporting. At Rapid7, we take information security leaks and other related incidents very seriously and will be pushing out a fix shortly to mask/obfuscate any password types in the job view. Fortunately, only a very small fraction (I counted 10) of our 300+ plugins do this which is why it has been overlooked, so it’s great that you brought this to our attention.

Thanks again for reporting.

1 Like

Hey @brandon_mcclure thanks for reaching out. For future reference we have a disclosure process at https://www.rapid7.com/disclosure/ , where you can submit these types of findings to our Security team.

1 Like

thank you, I will use this next time

1 Like

Hi @brandon_mcclure, we just released a fix for this. Now we obfuscate all password types in the job view.

Thanks again for reporting this!

2 Likes

Confirmed and looking good

1 Like