Project

General

Profile

Bug #7495

tigase.log.0 contains user passwords in clear text

Added by Philip Plumlee 10 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Database:
n/a
Applicable version:
8.0.0
Source Code Disclaimer:

Description

Cross-index this issue with our GDPR efforts...

tigase.log.0 contains FINEST lines like this:

2018-02-15 21:50:35.145 [in_14-message-router] MessageRouter.processPacket() FINEST: Processing packet: from=http@oboe/9f3998bf-7da8-46a8-bc39-2940022234f2, to=null, DATA=<iq id="2ccc96fc-6248-4f1d-882b-4afe4e771806" to="sess-man@localhost" from="admin@localhost" type="set"><command node="http://jabber.org/protocol/admin#add-user" xmlns="http://jabber.org/protocol/commands"><x type="submit" xmlns="jabber:x:data"><field var="FORM_TYPE"><value>http://jabber.org/protocol/admin</value></field><field var="accountjid"><value>ablongo@localhost</value></field><field var="password"><value>ablongo</value></field><field var="password-verify"><value>ablongo</value></field><field var="email"><value>ablongo@tigase.net</value></field></x></command></iq>, SIZE=577, XMLNS=null, PRIORITY=NORMAL, PERMISSION=ADMIN, TYPE=set

That's from the Ad-Hoc command "add-user", which we are not using, but there could be other passwords in there. The file tigase-console.log also contains the admin-password.

This issue could be high-priority if %kobit says it is...

config.tdsl (380 Bytes) config.tdsl Philip Plumlee, 2018-05-08 12:13 PM

Associated revisions

Revision 89822250 (diff)
Added by W Administrator 4 months ago

#7495 fix issue with not all logs being obfuscated, testcase

Revision e485eaa0 (diff)
Added by W Administrator 4 months ago

#7495 fix issue with not all logs being obfuscated, testcase, documentation

Revision a3625bce (diff)
Added by W Administrator 4 months ago

#7495 include information in release notes

Revision a6050081 (diff)
Added by W Administrator 4 months ago

#7495 include information in release notes, fix release notes formatting and links

History

#1 Updated by Wojciech Kapcia TigaseTeam 10 months ago

%Philip.Plumlee - where did you found this excerpt? Do you have any special configuration (e.g. --packet.debug.full or logging() {packet-debug-full})?

In general we have tigase.server.Packet#toStringSecure which should handle this cases and replace all CData elements with it's size.

#2 Updated by Philip Plumlee 10 months ago

Wojciech Kapcia wrote:

%Philip.Plumlee - where did you found this excerpt? Do you have any special configuration (e.g. --packet.debug.full or logging() {packet-debug-full})?

In general we have tigase.server.Packet#toStringSecure which should handle this cases and replace all CData elements with it's size.

I ran a server 8.0.0 to learn the ad-hoc commands. I attached its etc/config.tdsl, but it just has this line: debug = [ 'server', 'http', 'db' ].

#3 Updated by Wojciech Kapcia TigaseTeam 4 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Issue fixed:

2018-10-19 20:40:05.777 [pool-33-thread-25]  ClientConnectionManager.processSocketData()  FINEST: Processing socket data: from=null, to=null, DATA=<iq id="ab36a" xmlns="jabber:client" type="set" to="sess-man@atlantiscity">
<command node="http://jabber.org/protocol/admin#add-user" xmlns="http://jabber.org/protocol/commands">
<x xmlns="jabber:x:data" type="submit">
<field type="hidden" var="FORM_TYPE">
<value>CData size: 32</value>
</field>
<field type="jid-single" var="accountjid">
<value>CData size: 19</value>
</field>
<field type="text-private" var="password">
<value>CData size: 14</value>
</field>
<field type="text-private" var="password-verify">
<value>CData size: 14</value>
</field>
<field type="text-single" var="email">
<value>CData size: 19</value>
</field>
</x>
</command>
</iq>, SIZE=676, XMLNS=jabber:client, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=set from connection: c2s@atlantiscity.local/192.168.1.17_5222_192.168.1.17_53248

Added testcase, information to documentation about packet-debug-full option and backported it to 7.1.x

Also available in: Atom PDF