Plain text post request to proxmox VE

X

xkpx

Member
Jun 17, 2022
6
0
6
I was curious to see if something bad happens in my network if my password can be stolen , and i tested with mitm attack to spy https traffic i see that the password for login field in proxmox-frontend [pve / pam] is send in plain text to the backend.
Is argon2 or some hashing implemented or someone need to pull request it?

Untitled.png
 
Last edited:
you mean from the browser client to the webserver or from the web server to the backend?
 
the only thing that would "protect" against is password reuse, which you really shouldn't do in 2023.. we need the password because depending on the realm, we need to pass it on (e.g. to PAM, or to LDAP/AD, ..) if it's not our backend that does the actual authentication.

furthermore, if we'd hash the password in the client, then an attacker could just steal/MITM the password hash and send it to the server and be authenticated - effectively, the hash becomes the password then. we do store the passwords hashed+salted in the backend, so that a compromise of the host doesn't directly expose all the passwords of the @pve realm.
 
  • Like
Reactions: Dunuin
wait. How it possible that a https connection surf unencrypted passwords - is the login form http?
 
no, pveproxy is only doing TLS (well, and since very recently, if you try to talk plain HTTP it will redirect you to TLS after parsing the headers). OP set up a MITM proxy (that requires either giving that proxy your cert+key, or trusting the MITM cert in the browser/client).
 
ah...this should mean "man in the middle". With SSL break. Now, i do not understand the question anymore.
 
Question is just teoritical , example if someone breaks in office or get access to login machine and setup cert and proxy settings and just listening.. than bad stuff happens. You may say you got cams and prevent measure stuff , and still they are exploits,rats that are undetectable to windows so... and pass is in plain text sniffer by attacker. I was just curious :)
 
Last edited:
xkpx said:
Question is just teoritical , example if someone breaks in office or get access to login machine and setup cert and proxy settings and just listening.. than bad stuff happens. You may say you got cams and prevent measure stuff , and still they are exploits,rats that are undetectable to windows so... and pass is in plain text sniffer by attacker. I was just curious :)
Click to expand...

if your local system is compromised, having the client/browser somehow hash the password doesn't help in any way (the same thing is also true of the server, since the browser executes the JS code provided by the server).
 
xkpx said:
Question is just teoritical , example if someone breaks in office or get access to login machine and setup cert and proxy settings and just listening.. than bad stuff happens.
Click to expand...
Yeah, seen a review video of these totally generic looking hak5 USB cables a week ago with build-in keylogger, rubberducky, wifi for remote access, ... Wouldn't be that hard to gift employes some of those and hope that someone will use them to charge a phone with it using a client PC (or if not, you at least can get access to that emplyes phone ;)).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom