[cisco-voip] CUCM and Auto Fill Credentials

Fri Mar 16 12:32:39 EDT 2018

This is also a problem on the Service Profile page filling in LDAP
Username/Password.  I see so many customers with their admin accounts
filled in here from autofill on their browsers.  These are sent clear-text
to Jabber clients.

I think I talked to some Cisco folks on this and it didn't get anywhere
since it was more a browser issue.  I think they need to rename some of
these fields so that password autofill doesn't happen.

On Wed, Mar 14, 2018 at 9:49 PM, Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
> Is anyone already aware of this?
>
> You could you run the following command on your clusters:
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
> E.g.,
>
> output might be:
>
> *SEP6899CD84B710 aholloway*
>
> So then you would navigate your browser to:
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
> You're then looking for the following two fields, your results will vary:
>
> *<sshUserId>aholloway</sshUserId>*
> *<sshPassword>MyP at ssw0rd</sshPassword>*
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
> I'm curious about two things:
>
> 1) Is it even happening outside of my limited testing scenarios?
> 2) How many different usernames and passwords were there?
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work.  Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site.  Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180316/232a9374/attachment.html>