You are here: Foswiki>Tasks Web>Item12324 (01 Feb 2013, GeorgeClark)Edit Attach

Item12324: Configuration log should not contain passwords.

pencil
Priority: Enhancement
Current State: Closed
Released In: 1.1.7
Target Release: patch
Applies To: Engine
Component: Configure
Branches: Release01x01
Reported By: TimotheLitt
Waiting For: GeorgeClark
Last Change By: GeorgeClark
Configure's log contains (in plaintext) the value of any PASSWORD fields that are changed.

This doesn't include the 'configure' password - but does include the various passwords used for mail and database access.

I fixed this in trunk, but it needs to be backported to 1.1.x. Since it logs plaintext passwords in a log file that's opened with no special permissions, I worry about this - even though it's a day 0 bug going back to the other wiki. (I also fixed it there, since it raises security concerns.)

-- TimotheLitt - 02 Jan 2013

 

ItemTemplate edit

Summary Configuration log should not contain passwords.
ReportedBy TimotheLitt
Codebase 1.1.6, 1.1.6 dev, 1.1.5, 1.1.5 RC2, 1.1.5 RC1, 1.1.4, 1.1.4 RC2, 1.1.4 RC1, 1.1.4 beta2, 1.1.4 beta1, 1.1.3, 1.1.3 RC1, 1.1.3 beta1, 1.1.2, 1.1.1, 1.1.0, 1.1.0 beta1, 1.0.10, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.5, 1.0.5 beta1, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0, 1.0.0 beta3, 1.0.0 beta2, 1.0.0 beta1
SVN Range
AppliesTo Engine
Component Configure
Priority Enhancement
CurrentState Closed
WaitingFor GeorgeClark
Checkins distro:0242814cc0f5 distro:03f5ea0b4cd7 distro:02bb543e2537
TargetRelease patch
ReleasedIn 1.1.7
CheckinsOnBranches Release01x01
trunkCheckins
Release01x01Checkins distro:0242814cc0f5 distro:03f5ea0b4cd7 distro:02bb543e2537
Topic revision: r7 - 01 Feb 2013, GeorgeClark - This page was cached on 26 Jul 2016 - 04:42.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License