You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Kiran Ayyagari (JIRA)" <ji...@apache.org> on 2010/09/02 07:36:55 UTC
[jira] Closed: (DIRSERVER-1544) Logs store the user password in
clear
[ https://issues.apache.org/jira/browse/DIRSERVER-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari closed DIRSERVER-1544.
-------------------------------------
Resolution: Fixed
Fixed the toString() method in the BindRequestImpl [1] , closing this issue assuming we are not printing credentials anywhere else
in the code (any such occurrences should be fixed when found).
[1] http://svn.apache.org/viewvc?rev=991816&view=rev
> Logs store the user password in clear
> -------------------------------------
>
> Key: DIRSERVER-1544
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1544
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.7
> Reporter: Emmanuel Lecharny
> Assignee: Kiran Ayyagari
> Priority: Blocker
> Fix For: 2.0.0-RC1
>
>
> When issuing a BindRequest with DEBUG log activated, the logs contain the user password :
> [11:02:51] DEBUG [org.apache.directory.server.ldap.handlers.BindHandler] - Received: BindRequest
> Version : '3'
> Name : 'uid=elecharny,ou=People,dc=iktek,dc=com'
> Simple authentication : 'My password/0x...'
> This is a bit an issue, IMO...
> Of course, if we dump the PDU, we will be able to get those info too, but it's not really safe anyway.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.