New GUI 'support' page and root password. 9.3-STABLE

Status
Not open for further replies.
R

rogerh

Guru
Joined
Apr 18, 2014
Messages
1,111
When I go to the 'Support' tab in the latest build of 9.3-STABLE, currently 201502271818, the 'Username' field is filled in with 'root' and the 'Password' field has dots in it. Above this is a message in red saying: "Incorrect Username or Password".

Is this page communicating with the 'bugs' server and trying out the username and password? And if it is, is it sending my root password or a hash of it? If so, this would seem to be a security risk.

Edit: I am not sure why these fields are pre-filled. 'Root' is likely to be the current user in the GUI, and if it is only a random or empty password that is sent the dots are misleading. 'Root' is quite unlikely to be the username for the web page, even with conventional capitalisation. There seems to be no way to save the relevant username and password except by submitting a bug, so a 'save username and password' button would be good; or just leave the fields blank until populated by the user?
 
Last edited:
DifferentStrokes

DifferentStrokes

Patron
Joined
Jan 9, 2015
Messages
430
I wonder if it is the web browser auto-fulling the boxes in? Maybe try clearing the browser cache, refresh page and try again. Post back and let us know.
 
Last edited:
R

rogerh

Guru
Joined
Apr 18, 2014
Messages
1,111
DifferentStrokes said:
I wonder if it is thw web browser auto-fulling the boxes in? Maybe try clearing the browser cache, refresh page and try again. Post back and let us know.
Click to expand...

Got it in one! Thanks. However, the browser just fills the boxes in as though they were the main GUI login. So two tiny buglets remain:

1. the credential boxes on the support page look to Safari like the main login box - this might be hard to avoid in the general case;

2. when the credential boxes are filled in and you navigate to the next box in the form, and before one is ready to submit the bug report, the credentials are sent to the server and checked without one expecting it. It is this behaviour which interacts with the browser to send the auto-filled information to the web page.

So I don't really know how to avoid this happening except by disabling password saving for the FreeNAS GUI, which is what I shall have to do. Or never navigate to the support page!
 
Status
Not open for further replies.

Similar threads

digininja
  • Locked
New root password not sticking
Replies
2
Views
2K
digininja
digininja
David Dyer-Bennet
  • Locked
SOLVED Changing root or admin password
Replies
6
Views
33K
Imotep
Imotep
ewhac
  • Locked
Password Visible When Importing TLS Certificate and Private Key
Replies
2
Views
957
ewhac
ewhac
G
What is the user password recovery method
Replies
1
Views
2K
joeschmuck
joeschmuck
S
SOLVED Cannot login GUI using root
Replies
6
Views
10K
myrandomtips
myrandomtips
Top