directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <>
Subject [jira] Created: (DIRSERVER-1544) Logs store the user password in clear
Date Fri, 20 Aug 2010 09:08:17 GMT
Logs store the user password in clear

                 Key: DIRSERVER-1544
             Project: Directory ApacheDS
          Issue Type: Bug
    Affects Versions: 1.5.7
            Reporter: Emmanuel Lecharny
            Priority: Blocker
             Fix For: 2.0.0-RC1

When issuing a BindRequest with DEBUG log activated, the logs contain the user password :

[11:02:51] DEBUG [] - Received:     BindRequest
        Version : '3'
        Name : 'uid=elecharny,ou=People,dc=iktek,dc=com'
        Simple authentication : 'My password/0x...'

This is a bit an issue, IMO...

Of course, if we dump the PDU, we will be able to get those info too, but it's not really
safe anyway.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message