Defect #28

LDAP password are exposed in clear in the logs

Added by Yacin Bahi 557 days ago. Updated 556 days ago.

Status:Closed Start:
Priority:Normal Due date:
Assigned to:- % Done:

0%
Category:-
Target version:-

Description

debugging information display LDAP password in clear in the developement.log and production.log files.

...cut
Processing AccountController#login (for 10.15.28.114 at 2007-03-28 18:45:37) [POST]
Session ID: 24b78e320a2de5d25615574f8a31e3b2
Parameters: {"action"=>"login", "controller"=>"account",
"login"=>"user11", "password"=>"secretpasswrd"}
User Load (0.002259) SELECT * FROM users WHERE (login='user11') LIMIT 1
AuthSource Load (0.002554) SELECT * FROM auth_sources WHERE (onthefly_register=1)
AuthSource Columns (0.001881) SHOW FIELDS FROM auth_sources
AuthSourceLdap Columns (0.002013) SHOW FIELDS FROM auth_sources
Authenticating 'user11' against 'Company'
DN found for user11: uid=user11,ou=People,o=Company.com
Authentication successful for 'user11'
...cut

History

2007-03-30 12:38 - Jean-Philippe Lang

You're right. This issue was fixed several weeks ago in the code
repository. Now, any parameters containing "password"
are hidden in the logs.

If you can't wait for the next release (that should come in the
next weeks), i suggest you to checkout the latest source from
the trunk:

svn checkout svn://rubyforge.org/var/svn/redmine/trunk

Jean-Philippe

2007-03-30 20:02 - Yacin Bahi

I've updated to the latest code, thx !
--Yacin

Also available in: Atom PDF