PKCS12 password exposed in verbose logs via URL query parameter #20

New issue

Open

opened 2026-04-29 23:31:22 +02:00 by heiko · 0 comments

heiko commented

2026-04-29 23:31:22 +02:00

Owner

Summary

The PKCS12 bundle password is sent as a URL query parameter (?pass=<password>). While the TLS connection protects it in transit, the full URL (including the password) is logged when verbose mode is enabled:

Server (cmd/cert-proxy-server/serve.go:20): shared.Verbose("Serving url=%v...", req.URL, ...)
Client (cmd/cert-proxy-client/cert/cert.go:175): shared.Verbose("Requesting %s ...", item.remote.URL, ...)

Additionally, any reverse proxy or load balancer in front of the server would log the password in access logs.

Exploitation Scenario

An operator enables -verbose in production for debugging. Log output is captured by a log aggregator (journald, syslog, ELK). An attacker with log access obtains the PKCS12 password. Combined with access to a backup containing the .pfx bundle, they extract the private key.

Recommended Fix

Transmit the password in a request header (e.g., X-PKCS12-Pass) instead of a query parameter. Headers are not logged by default in most proxies and are not part of req.URL.String().

Alternatively, redact the pass query parameter in verbose log output before printing.

## Summary The PKCS12 bundle password is sent as a URL query parameter (`?pass=<password>`). While the TLS connection protects it in transit, the full URL (including the password) is logged when verbose mode is enabled: - **Server** (`cmd/cert-proxy-server/serve.go:20`): `shared.Verbose("Serving url=%v...", req.URL, ...)` - **Client** (`cmd/cert-proxy-client/cert/cert.go:175`): `shared.Verbose("Requesting %s ...", item.remote.URL, ...)` Additionally, any reverse proxy or load balancer in front of the server would log the password in access logs. ## Exploitation Scenario An operator enables `-verbose` in production for debugging. Log output is captured by a log aggregator (journald, syslog, ELK). An attacker with log access obtains the PKCS12 password. Combined with access to a backup containing the `.pfx` bundle, they extract the private key. ## Recommended Fix Transmit the password in a request header (e.g., `X-PKCS12-Pass`) instead of a query parameter. Headers are not logged by default in most proxies and are not part of `req.URL.String()`. Alternatively, redact the `pass` query parameter in verbose log output before printing.

heiko added the

security

label

2026-04-29 23:31:22 +02:00

heiko referenced this issue from a commit

2026-04-29 23:48:22 +02:00

docs: update Known Issues and file permissions in README