Sync password viewable in HTML code…
I noticed today that the "Remote System Password" textbox in "System: High Availability Sync" gets populated with your password on page load. This should NEVER happen. Is there a way to prevent this? This is a rookie mistake in my opinion…
Gertjan last edited by
Keep in mind that you need admin privileges to see this page.
Yes, that is fine. What if I am in an office and leave my computer unlocked for a few minutes and someone views the source and grabs the admin password? The admin password should never be displayed under no circumstances, and in fact, it should be encrypted!
Yes, that is fine. What if I am in an office and leave my computer unlocked for a few minutes and someone views the source and grabs the admin password?
Or they'll just go and download the config.xml backup. Not sure what you are suggesting here. When you leave people with root access, then you are royally fucked.
KOM last edited by
What if I am in an office and leave my computer unlocked for a few minutes and someone views the source…
This is the point where you file it under noob mistake.
Thanks for the article. I still don't know why it needs to be outputted the way it is. As far as a n00b mistake, I've worked in IT for many years and I'm very used to locking my workstation. Others are lazy… And we've all made that mistake.
Thanks for the replies, I'll live with it..
If you really want to remove it, it's a simple one line: https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/www/system_hasync.php#L185
But, as noted above, leaving your browser logged on as admin is totally NOT secure.
Thanks. I'm going to remove it. I understand all that. I am just a bit confused as to why the password isn't just left blank. At least it's an easy fix :)