[BUG] System - Advanced - Miscellaneous shows admin credentials



  • With pfSense 2.2.5 64 bit (on pfSense SG-8860 hardware) I went to System - Advanced - Miscellaneous in order to activate the thermal sensors.

    My surprise is that a config.xml downloaded to my computer contains:

    <proxyuser>admin</proxyuser>
    <proxypass>mysecretpassword</proxypass>
    

    I suppose that the navigator (FireFox in my case) copied the latest fields introduced.

    It's a security problem. pfSense admin password can be easy copied and stored without encryption!

    I returned to the page an I entered

    not_used
    not_used

    And also edited my backup file to have also 'not_used' at the two fields…



  • That username and password are used to authenticate pfSense itself as a user on the upstream proxy you specify.  The whole Proxy Support section is to allow pfSense to access the Internet through a different proxy server.  It's not the pfSense Admin account.

    Edit: on second thought, are you saying that it prefills in this field with the real pfSense Admin account credentials?  Or is it just filling it with the default username & password of admin:pfsense?



  • Yes, I know.

    But my navigator auto-completed these fields without my intervention with my admin credentials.

    I didn't configured proxy access. I only went to activate the thermal sensors and [Save].


  • Banned

    Yeah, so stop using your "navigator" that autofills in wrong fields without your intervention.  ::)

    https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml



  • Yes it appears to be a browser autocomplete issue.  When I changed my Admin password & told the browser to not update the password in its cache, and then saved my config and checked it, the proxypass was filled with the old password.


  • Banned

    Yeah, the browsers are getting increasingly idiotic and it's more and more impossible to prevent them from using this "smart" autofill feature in completely wrong places.


  • Rebel Alliance Developer Netgate

    I'd love to stop that from happening but browsers simply ignore any HTML directive to disallow autofill. They think they know better and want to fill in all the fields they believe are passwords. We've tried a few tricks to stop it from happening but nothing sane seems to work. Even if the form field names are randomized if the labels contain things that might be credentials they still auto-fill.



  • I changed the admin password a few times this morning, pfsense 2.2.5 x32 using Firefox 42.0

    with WebGUI Login Autocomplete ticked and not ticked, toggle the PowerD setting, save,
    save the config and the proxypass never changed, always the defaut : "pfsense"



  • The admin password is unrelated to the proxy password. Your browser auto-filled it if it's set there, just clear it and make sure it remains that way if you save further changes on the page.


Log in to reply