Interestingly, none of these files come up for me on a 11.5.1.13902 system. I can pull an XML file as Anthony showed previously, but not these files. On 9.1.2 and 11.0.1.2000 systems, I can view them just fine. Did something change in 11.5.1 or so to now allow these files?
I don't receive an error, just a blank page, and source is nil. On Thu, Mar 15, 2018 at 2:35 AM Stephen Welsh <[email protected]> wrote: > While we are on the subject here are some other non encrypted TFTP server > items: > > > - ConfigFileCacheList.txt > - FileList.txt > - BinFileCacheList.txt > - PerfMon.txt > - ParamList.txt > - lddefault.cfg > > So you could use the following to get a list of all the device MAC > addresses anonymously from the TFTP server: > > http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt> > > So with the scenario you describe and just the TFTP Server IP Address you > could scan all the device configs on the cluster to see if even just one of > them has the admin credentials saved accidentally on the SSH User/Password > field. > > I suspect this may apply to most clusters.... > > Kind Regards > > Stephen Welsh > CTO > UnifiedFX > > On 15 Mar 2018, at 07:25, Stephen Welsh <[email protected]> > wrote: > > Hi Anthony, > > Yes, the SSH credentials saved on the device page are available in clear > text in the phone XML config, it’s not just your environment unfortunately. > Also I believe the same thing applies for the Telepresence endpoints > (anything running CE including the DX) for the web page admin credentials > that are saved in the vendor config section. > > We noticed this a little while ago but given most people did not populate > it did not consider as a serious issue, however the auto-population of > credentials is not something we considered. So yes this does look like a > serious problem when you combine those two together. > > Kind Regards > > Stephen Welsh > CTO > UnifiedFX > > On 15 Mar 2018, at 01:50, Anthony Holloway < > [email protected]> wrote: > > I'm working on something, and was wondering if you could check something > for me, so I can better understand why and how often this is happening. > > So, I was looking at phone config file today, and I noticed the ccmadmin > username and password was in the XML, and in plain text nonetheless. > > I found out that the browser, when told to remember your credentials, will > treat the SSH username/password fields as login fields whenever you modify > a phone, and you might be unknowingly save your credentials for clear text > view by unauthenticated users. > > Is anyone already aware of this? > > You could you run the following command on your clusters: > > *run sql select name, sshuserid from device where sshuserid is not null > and sshuserid <> ""* > > Then in the output, if there are any hits, look at the config XML file for > the phone and see if the passwords are there. > > E.g., > > output might be: > > *SEP6899CD84B710 aholloway* > > So then you would navigate your browser to: > > *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml* > > You then might have to view the HTML source of the page, because the > browser might mess up the output. > > You're then looking for the following two fields, your results will vary: > > *<sshUserId>aholloway</sshUserId>* > *<sshPassword>MyP@ssw0rd</sshPassword>* > > Then, since we now know it's happening, get list of how many different > usernames you have with this command: > > *run sql select distinct sshuserid from device where sshuserid is not null > and sshuserid <> "" order by sshuserid* > > This could also be happening with Energy Wise settings, albeit not on the > same web pages. > > I'm curious about two things: > > 1) Is it even happening outside of my limited testing scenarios? > 2) How many different usernames and passwords were there? > > If the answers are yes, and 1 or more, then this is an issue Cisco should > address. > > The reason it's happening is because the way in which browsers identify > login forms, is different from the way in which web developers understand > it to work. Cisco uses the element attribute on these fields "autocomplete > = false" and unfortunately, most browser ignore that directive. > > I have noticed that this does not happen, if you have more than 1 saved > password for the same site, rather it will only happen if you use the same > login for the entire site. Our highest chance of seeing this happen are > for operations teams where they login with their own accounts, and do not > use DRS or OS Admin. > > _______________________________________________ > cisco-voip mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-voip > > _______________________________________________ > cisco-voip mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-voip > > _______________________________________________ > cisco-voip mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-voip >
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
