directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kiran Ayyagari (JIRA)" <j...@apache.org>
Subject [jira] Closed: (DIRSERVER-1544) Logs store the user password in clear
Date Thu, 02 Sep 2010 05:36:55 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kiran Ayyagari closed DIRSERVER-1544.
-------------------------------------

    Resolution: Fixed

Fixed the toString() method in the BindRequestImpl [1] , closing this issue assuming we are
not printing credentials anywhere else
in the code (any such occurrences should be fixed when found).

[1] http://svn.apache.org/viewvc?rev=991816&view=rev

> Logs store the user password in clear
> -------------------------------------
>
>                 Key: DIRSERVER-1544
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1544
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.7
>            Reporter: Emmanuel Lecharny
>            Assignee: Kiran Ayyagari
>            Priority: Blocker
>             Fix For: 2.0.0-RC1
>
>
> When issuing a BindRequest with DEBUG log activated, the logs contain the user password
:
> [11:02:51] DEBUG [org.apache.directory.server.ldap.handlers.BindHandler] - Received:
    BindRequest
>         Version : '3'
>         Name : 'uid=elecharny,ou=People,dc=iktek,dc=com'
>         Simple authentication : 'My password/0x...'
> This is a bit an issue, IMO...
> Of course, if we dump the PDU, we will be able to get those info too, but it's not really
safe anyway.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message