tigase.log.0 contains user passwords in clear text (#948)

tigase.log.0 contains user passwords in clear text (#948)

Activities

	philip.plumlee opened 7 years ago Cross-index this issue with our GDPR efforts... tigase.log.0 contains FINEST lines like this: 2018-02-15 21:50:35.145 [in_14-message-router] MessageRouter.processPacket() FINEST: Processing packet: from=http@oboe/9f3998bf-7da8-46a8-bc39-2940022234f2, to=null, DATA=<iq id="2ccc96fc-6248-4f1d-882b-4afe4e771806" to="sess-man@localhost" from="admin@localhost" type="set"><command node="http://jabber.org/protocol/admin#add-user" xmlns="http://jabber.org/protocol/commands"><x type="submit" xmlns="jabber:x:data"><field var="FORM_TYPE"><value>http://jabber.org/protocol/admin</value></field><field var="accountjid"><value>ablongo@localhost</value></field><field var="password"><value>ablongo</value></field><field var="password-verify"><value>ablongo</value></field><field var="email"><value>ablongo@tigase.net</value></field></x></command></iq>, SIZE=577, XMLNS=null, PRIORITY=NORMAL, PERMISSION=ADMIN, TYPE=set That's from the Ad-Hoc command "add-user", which we are not using, but there could be other passwords in there. The file `tigase-console.log` also contains the `admin-password`. This issue could be high-priority if %kobit says it is... config.tdsl
	wojciech.kapcia@tigase.net commented 7 years ago %Philip.Plumlee - where did you found this excerpt? Do you have any special configuration (e.g. `--packet.debug.full` or `logging() {packet-debug-full}`)? In general we have `tigase.server.Packet#toStringSecure` which should handle this cases and replace all CData elements with it's size.
	philip.plumlee commented 7 years ago Wojciech Kapcia wrote: %Philip.Plumlee - where did you found this excerpt? Do you have any special configuration (e.g. `--packet.debug.full` or `logging() {packet-debug-full}`)? In general we have `tigase.server.Packet#toStringSecure` which should handle this cases and replace all CData elements with it's size. I ran a server 8.0.0 to learn the ad-hoc commands. I attached its `etc/config.tdsl`, but it just has this line: `debug = [ 'server', 'http', 'db' ]`.
	wojciech.kapcia@tigase.net commented 6 years ago Issue fixed: 2018-10-19 20:40:05.777 [pool-33-thread-25] ClientConnectionManager.processSocketData() FINEST: Processing socket data: from=null, to=null, DATA=<iq id="ab36a" xmlns="jabber:client" type="set" to="sess-man@atlantiscity"> <command node="http://jabber.org/protocol/admin#add-user" xmlns="http://jabber.org/protocol/commands"> <x xmlns="jabber:x:data" type="submit"> <field type="hidden" var="FORM_TYPE"> <value>CData size: 32</value> </field> <field type="jid-single" var="accountjid"> <value>CData size: 19</value> </field> <field type="text-private" var="password"> <value>CData size: 14</value> </field> <field type="text-private" var="password-verify"> <value>CData size: 14</value> </field> <field type="text-single" var="email"> <value>CData size: 19</value> </field> </x> </command> </iq>, SIZE=676, XMLNS=jabber:client, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=set from connection: c2s@atlantiscity.local/192.168.1.17_5222_192.168.1.17_53248 Added testcase, information to documentation about `packet-debug-full` option and backported it to 7.1.x

Type	Bug
Priority	Normal
Assignee	wojciech.kapcia@tigase.net
RedmineID	7495
Version	tigase-server-8.0.0
Spent time	12h 30m

Issue Votes (0)

Watchers (0)

Reference

tigase/_server/server-core#948

Please wait...

Page is in error, reload to recover