Reset Password Action in Active Directory LDAP Shows password in plain text in Job

brandon_mcclure · September 10, 2020, 8:21pm

When you add a password reset step using the Active Directory LDAP plugin, it masks the password, but when the job runs it shows that password in plain text. This probably should be obfuscated

jon_schipp · September 11, 2020, 1:26pm

Hi @brandon_mcclure, thanks for reporting. At Rapid7, we take information security leaks and other related incidents very seriously and will be pushing out a fix shortly to mask/obfuscate any password types in the job view. Fortunately, only a very small fraction (I counted 10) of our 300+ plugins do this which is why it has been overlooked, so it’s great that you brought this to our attention.

Thanks again for reporting.

jonathan_beggs · September 11, 2020, 3:05pm

Hey @brandon_mcclure thanks for reaching out. For future reference we have a disclosure process at https://www.rapid7.com/disclosure/ , where you can submit these types of findings to our Security team.

brandon_mcclure · September 11, 2020, 3:54pm

thank you, I will use this next time

malolan_santhanakrishnan · September 11, 2020, 7:12pm

Hi @brandon_mcclure, we just released a fix for this. Now we obfuscate all password types in the job view.

Thanks again for reporting this!

brandon_mcclure · September 12, 2020, 2:16pm

Confirmed and looking good