This is also a problem on the Service Profile page filling in LDAP Username/Password. I see so many customers with their admin accounts filled in here from autofill on their browsers. These are sent clear-text to Jabber clients.
I think I talked to some Cisco folks on this and it didn't get anywhere since it was more a browser issue. I think they need to rename some of these fields so that password autofill doesn't happen. On Wed, Mar 14, 2018 at 9:49 PM, Anthony Holloway < avholloway+cisco-v...@gmail.com> wrote: > I'm working on something, and was wondering if you could check something > for me, so I can better understand why and how often this is happening. > > So, I was looking at phone config file today, and I noticed the ccmadmin > username and password was in the XML, and in plain text nonetheless. > > I found out that the browser, when told to remember your credentials, will > treat the SSH username/password fields as login fields whenever you modify > a phone, and you might be unknowingly save your credentials for clear text > view by unauthenticated users. > > Is anyone already aware of this? > > You could you run the following command on your clusters: > > *run sql select name, sshuserid from device where sshuserid is not null > and sshuserid <> ""* > > Then in the output, if there are any hits, look at the config XML file for > the phone and see if the passwords are there. > > E.g., > > output might be: > > *SEP6899CD84B710 aholloway* > > So then you would navigate your browser to: > > *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml* > > You then might have to view the HTML source of the page, because the > browser might mess up the output. > > You're then looking for the following two fields, your results will vary: > > *<sshUserId>aholloway</sshUserId>* > *<sshPassword>MyP@ssw0rd</sshPassword>* > > Then, since we now know it's happening, get list of how many different > usernames you have with this command: > > *run sql select distinct sshuserid from device where sshuserid is not null > and sshuserid <> "" order by sshuserid* > > This could also be happening with Energy Wise settings, albeit not on the > same web pages. > > I'm curious about two things: > > 1) Is it even happening outside of my limited testing scenarios? > 2) How many different usernames and passwords were there? > > If the answers are yes, and 1 or more, then this is an issue Cisco should > address. > > The reason it's happening is because the way in which browsers identify > login forms, is different from the way in which web developers understand > it to work. Cisco uses the element attribute on these fields "autocomplete > = false" and unfortunately, most browser ignore that directive. > > I have noticed that this does not happen, if you have more than 1 saved > password for the same site, rather it will only happen if you use the same > login for the entire site. Our highest chance of seeing this happen are > for operations teams where they login with their own accounts, and do not > use DRS or OS Admin. > > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip