directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Created: (DIRSERVER-1544) Logs store the user password in clear
Date Fri, 20 Aug 2010 09:08:17 GMT
Logs store the user password in clear
-------------------------------------

                 Key: DIRSERVER-1544
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1544
             Project: Directory ApacheDS
          Issue Type: Bug
    Affects Versions: 1.5.7
            Reporter: Emmanuel Lecharny
            Priority: Blocker
             Fix For: 2.0.0-RC1


When issuing a BindRequest with DEBUG log activated, the logs contain the user password :

[11:02:51] DEBUG [org.apache.directory.server.ldap.handlers.BindHandler] - Received:     BindRequest
        Version : '3'
        Name : 'uid=elecharny,ou=People,dc=iktek,dc=com'
        Simple authentication : 'My password/0x...'

This is a bit an issue, IMO...

Of course, if we dump the PDU, we will be able to get those info too, but it's not really
safe anyway.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message