Announcement

Migration of this forum

Dear users of this forum,

we are pleased to inform you that we will be updating the software behind this forum in the near future.

Existing posts, users and categories will remain untouched.

Important:

  • Each user will need to reset their password.
  • Please select "I forgot my password".
  • Enter the email address you used to register in this forum.
  • You will receive an email with a link to set a new password.
  • Please choose a new (secure) password and confirm the process.

We will keep you informed in the pinned thread.

Kind regards,
Your ReportServer Team

Migration des Forums

Liebe Nutzer dieses Forums,

wir freuen uns, euch mitteilen zu können, dass wir in naher Zukunft die Software hinter diesem Forum aktualisieren werden.

Existierende Beiträge, Nutzer und Kategorien bleiben weiterhin bestehen!

Wichtig:

  • Jeder Nutzer muss sein Passwort neu vergeben.
  • Wählt dazu einfach "Ich habe mein Passwort vergessen".
  • Gebt die E-Mail-Adresse ein, mit der ihr registriert seid.
  • Ihr erhaltet eine E-Mail mit einem Link zur Passwortvergabe.
  • Bitte wählt ein neues (sicheres) Passwort und bestätigt den Vorgang.

Wir halten euch im angepinnten Beitrag auf dem Laufenden!

Mit vielen Grüßen
Euer ReportServer Team

Pages: 1

#1 2019-08-29 12:47:01

securing
Member
Registered: 2019-08-28

Change password functionality

Hi,

I have realized that when I change a user password, ReportServer makes the following requests:

Request:
POST http://localhost/reportserver/crypto
... net.datenwerke.security.ext.client.crypto.rpc.CryptoRpcService|getHmacPassphrase|1|2|3|4|0|

Response:
//OK[1,["This is the Passphrase used to compute the HMAC key for reportServer passwords."],0,7]

-----------

Request:
POST http://localhost/reportserver/crypto
... net.datenwerke.security.ext.client.crypto.rpc.CryptoRpcService|getSalt|1|2|3|4|0|

Response:
//OK[1,["The salt to be used for encryption. This should simply be a long string."],0,7]

----------

Request:
POST http://localhost/reportserver/crypto

Response:
//OK[128,[],0,7]

----------

Request:
POST http://localhost/reportserver/crypto
net.datenwerke.security.ext.client.crypto.rpc.CryptoRpcService|getUserSalt|1|2|3|4|0|

Response:
//OK[1,["XXXXXXXXXXXX"],0,7]

----------

Request:
POST http://localhost/reportserver/security_password
net.datenwerke.security.ext.client.password.PasswordRpcService|changePassword|java.lang.String/2004016611|Z|oldPasswordEncrypted|NewPasswordEncrypted|1|2|3|4|3|5|5|6|7|8|1|

Response:
//OK[[],0,7]

----------

I think these requests should not be made on the client side because they are leaking sensitive information (HMAC passphrase, salt, user salt, encrypted password) and they can be intercepted by using a local proxy like OWASP ZAP. These operations should be performed on the back-end side and being transparent for the user.

Is there any configuration to avoid this behavior?

Regards.

Offline

#2 2019-09-04 07:47:10

securing
Member
Registered: 2019-08-28

Re: Change password functionality

Hi eduardo,

could you help me with this issue, please?

Thanks in advance.

Offline

Pages: 1

Board footer

Powered by FluxBB