Django first_run Admin Management Script Bad Practice in Non-Interactive Mode

[bama4]

Description

When the first_run django management script is executed in non-interactive mode, a username and password is automatically created for the GovReady instance.

Issues with non-interactive mode:

• The password appears in plaintext in the terminal.
• When the admin signs in with the auto-generated credentials, the admin is not forced to change their default password.
• Users are allowed to register and create profiles before the admin changes the default password.

This could lead to a situation in which the default credentials to the admin account that were printed to stdout are unchanged.

Example output of running: sudo docker container exec -it govready-q first_run --non-interactive

Installing GovReady-Q in non-interactive mode...
WARNING: Use of 'host' environment paramenter deprecated. Please use 'govready-url' environment parameter in future.
INFO: ALLOWED_HOSTS ['localhost']
WARNING: Use of 'https' environment paramenter deprecated. Please use 'govready-url' environment parameter in future.
INFO: Connection scheme is 'http'.
INFO: 'SITE_ROOT_URL' set to http://localhost:8080 
WARNING: Specified PDF generator is not supported. Setting generator to 'off'.
WARNING: Specified IMG generator is not supported. Setting generator to 'off'.
Adding appname 'System-Description-Demo' from AppSource 'govready-q-files-startpack' to catalog.
Adding appname 'PTA-Demo' from AppSource 'govready-q-files-startpack' to catalog.
Adding appname 'rules-of-behavior' from AppSource 'govready-q-files-startpack' to catalog.
Adding AppSource for authoring.
Created administrator account (username: admin) with password: password
Created administrator portfolio admin
You can now login into GovReady-Q...

Risk Level
Fortify detects this issue as Privacy Violation: Critical due to the fact that passwords are being printed to stdout.
Risk level is low depending on level of access that other users have to the system running GovReady.
Printing passwords to stdout without forcing the user to create a new password upon login is more of a bad practice than a vulnerability in this case.

Goal

Plain-text passwords should not be printed to stdout in the terminal. If they are, the account associated with the account should be forced to change their password before any further action is taken on the GovReady server

The suggestion is to:

• Prevent any user registration until the admin logs into GovReady in the case where GovReady was initialized in non-interactive mode.
• Force the admin to change their default credentials immediately upon first login in the case where GovReady was initialized in non-interactive mode.

Other options:

• Remove non-interactive mode entirely if not necessary for GovReady.

[bama4]

Per @peterkaminski, this should be labeled as a POAM for later revisiting.

[t-s]

Ok if I grab this? @bama4

[bama4]

Ok if I grab this? @bama4

@t-s I would talk with @gregelin. I spoke with @peterkaminski as I mentioned above, and the thought was that this should be revisited later due to the fact that this would be a major feature added.

[t-s]

@bama4 Ok thanks! I'll hold off