Uploaded image for project: 'A-MQ Broker'
  1. A-MQ Broker
  2. ENTMQBR-1016

[AMQ7,Hawtio]AMQ 7 hawtio console store users password in browser’s local cache after user get logout

    XMLWordPrintable

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      1. Login to AMQ 7 hawtio console uisng Chrome.
      2. Enable Chrome Developer tools.
      3. Logout from the Hawtio.
      4. Check local storage for the key artemisPassword in Developer tools. Attached screen-shot for the refrence.

      Show
      1. Login to AMQ 7 hawtio console uisng Chrome. 2. Enable Chrome Developer tools. 3. Logout from the Hawtio. 4. Check local storage for the key artemisPassword in Developer tools. Attached screen-shot for the refrence.
    • Affects:
      Release Notes
    • Release Notes Text:
      A security issue has been fixed for AMQ Console. Before, if you logged into AMQ Console, the value of the Password field was visible from local storage using Google Chrome Developer tools.
    • Release Notes Docs Status:
      Documented as Resolved Issue

      Description

      Security issue with AMQ 7 management console.

      After login to Management Console, in Management Console Preferences window at Artemis tab details the password field value is clearly visible in local storage key:value section using Chrome Developer tools.

      In local storage for the key artemisPassword, the value is the actual password, a user logged in to the admin console.

      This key value pair even available and visible even if user get log out from the console and close the browser.

      Attached is the screen-shot.

        Gliffy Diagrams

          Attachments

          1. AMQ1.png
            AMQ1.png
            160 kB
          2. AMQ2.png
            AMQ2.png
            276 kB

            Issue Links

            follows up on

            Bug - A problem which impairs or prevents the functions of the product. ENTMQBR-1701 Store login and password in local storage is not safe

            • Minor - Minor loss of function, or other problem where easy workaround is present.
            • New
            is duplicated by

            Bug - A problem which impairs or prevents the functions of the product. ENTMQBR-1268 fix hawtio console security issue

            • Major - A request that should be considered seriously but is not a show stopper.
            • Done
            is caused by

            ARTEMIS-1681 Loading...

              Activity

                People

                • Assignee:
                  sknot Stanislav Knot
                  Reporter:
                  rhn-support-shsingh shailendra singh
                  Tester:
                  Oleg Sushchenko
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: