CMDBuild Forum

Security issue running webservice

this webservice
http://1xx.xxx.xxx.xxx:8080/cmdbuild/services/rest/v3/system/config

retrieve the database password in test plain

“org.cmdbuild.database.db.username”:“postgres”,“org.cmdbuild.database.db.url”:“jdbc:postgresql://localhost:5432/cmdbuild_cfb5”,“org.cmdbuild.database.db.password”:“xxxxxxx!”

I don’t see how this is a security issue since you have to authenticate in order to access the webservice.

The password has to be stored in clear text for CMDBuild to be able to connect to the database on startup.

I see that the credentials were stored in the browser session (I didn’t type it) ,OK… then should be fine

This might be an unpopular opinion (I haven’t validated that this report is actually true), but I don’t think this is OK and should still be flagged as a bug. Having access to the application, that doesn’t mean you should be able to retrieve the password to the database. We have a separation of duties policy for sensitive information, and this gives non-privileged users with key information to access the database. Certainly there are other layers of protections around access to that information, but a password being exposed in plain text is not OK.

This only works because of the cookies IMO. If you open a private navigation window and try it you should get something like :

{“success”:false,“messages”:[{“level”:“ERROR”,“show_user”:false,“message”:“org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource”}]}

Hi,

cleartext db password can indeed be obtained from system config ws, but only if you’re logged in with admin account. This is not actually a security issue, since a user with admin account has full access over db content and structure anyway (including the possibility to manipulate sql).

A future release may add an option to obfuscate/hide this configuration in ws. This would be mostly for aesthetic reasons, since actual security impact of this behavior is negligible.

CMDBuild Team