Projects tigase _server server-core Issues #948
tigase.log.0 contains user passwords in clear text (#948)
Closed
philip.plumlee opened 7 years ago

Cross-index this issue with our GDPR efforts...

tigase.log.0 contains FINEST lines like this:

2018-02-15 21:50:35.145 [in_14-message-router] MessageRouter.processPacket() FINEST: Processing packet: from=http@oboe/9f3998bf-7da8-46a8-bc39-2940022234f2, to=null, DATA=<iq id="2ccc96fc-6248-4f1d-882b-4afe4e771806" to="sess-man@localhost" from="admin@localhost" type="set"><command node="http://jabber.org/protocol/admin#add-user" xmlns="http://jabber.org/protocol/commands"><x type="submit" xmlns="jabber:x:data"><field var="FORM_TYPE"><value>http://jabber.org/protocol/admin</value></field><field var="accountjid"><value>ablongo@localhost</value></field><field var="password"><value>ablongo</value></field><field var="password-verify"><value>ablongo</value></field><field var="email"><value>ablongo@tigase.net</value></field></x></command></iq>, SIZE=577, XMLNS=null, PRIORITY=NORMAL, PERMISSION=ADMIN, TYPE=set

That's from the Ad-Hoc command "add-user", which we are not using, but there could be other passwords in there. The file tigase-console.log also contains the admin-password.

This issue could be high-priority if %kobit says it is...

config.tdsl

wojciech.kapcia@tigase.net commented 7 years ago

%Philip.Plumlee - where did you found this excerpt? Do you have any special configuration (e.g. --packet.debug.full or logging() {packet-debug-full})?

In general we have tigase.server.Packet#toStringSecure which should handle this cases and replace all CData elements with it's size.

philip.plumlee commented 7 years ago

Wojciech Kapcia wrote:

%Philip.Plumlee - where did you found this excerpt? Do you have any special configuration (e.g. --packet.debug.full or logging() {packet-debug-full})?

In general we have tigase.server.Packet#toStringSecure which should handle this cases and replace all CData elements with it's size.

I ran a server 8.0.0 to learn the ad-hoc commands. I attached its etc/config.tdsl, but it just has this line: debug = [ 'server', 'http', 'db' ].

wojciech.kapcia@tigase.net commented 6 years ago

Issue fixed:

2018-10-19 20:40:05.777 [pool-33-thread-25]  ClientConnectionManager.processSocketData()  FINEST: Processing socket data: from=null, to=null, DATA=<iq id="ab36a" xmlns="jabber:client" type="set" to="sess-man@atlantiscity">
<command node="http://jabber.org/protocol/admin#add-user" xmlns="http://jabber.org/protocol/commands">
<x xmlns="jabber:x:data" type="submit">
<field type="hidden" var="FORM_TYPE">
<value>CData size: 32</value>
</field>
<field type="jid-single" var="accountjid">
<value>CData size: 19</value>
</field>
<field type="text-private" var="password">
<value>CData size: 14</value>
</field>
<field type="text-private" var="password-verify">
<value>CData size: 14</value>
</field>
<field type="text-single" var="email">
<value>CData size: 19</value>
</field>
</x>
</command>
</iq>, SIZE=676, XMLNS=jabber:client, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=set from connection: c2s@atlantiscity.local/192.168.1.17_5222_192.168.1.17_53248

Added testcase, information to documentation about packet-debug-full option and backported it to 7.1.x

issue 1 of 1
Type
Bug
Priority
Normal
Assignee
RedmineID
7495
Version
tigase-server-8.0.0
Spent time
12h 30m
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#948
Please wait...
Page is in error, reload to recover