You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Kiran Ayyagari (JIRA)" <ji...@apache.org> on 2010/09/02 07:36:55 UTC

[jira] Closed: (DIRSERVER-1544) Logs store the user password in clear

     [ https://issues.apache.org/jira/browse/DIRSERVER-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kiran Ayyagari closed DIRSERVER-1544.
-------------------------------------

    Resolution: Fixed

Fixed the toString() method in the BindRequestImpl [1] , closing this issue assuming we are not printing credentials anywhere else
in the code (any such occurrences should be fixed when found).

[1] http://svn.apache.org/viewvc?rev=991816&view=rev

> Logs store the user password in clear
> -------------------------------------
>
>                 Key: DIRSERVER-1544
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1544
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.7
>            Reporter: Emmanuel Lecharny
>            Assignee: Kiran Ayyagari
>            Priority: Blocker
>             Fix For: 2.0.0-RC1
>
>
> When issuing a BindRequest with DEBUG log activated, the logs contain the user password :
> [11:02:51] DEBUG [org.apache.directory.server.ldap.handlers.BindHandler] - Received:     BindRequest
>         Version : '3'
>         Name : 'uid=elecharny,ou=People,dc=iktek,dc=com'
>         Simple authentication : 'My password/0x...'
> This is a bit an issue, IMO...
> Of course, if we dump the PDU, we will be able to get those info too, but it's not really safe anyway.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.