Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-8089

auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Minor
    • EAP_EWP 5.2.0
    • EAP_EWP 5.1.2
    • Security
    • None

    • all

    • Hide

      Enable auditing:

      Add the below option to JAVA_OPTS
      -Dorg.jboss.security.web.audit=headers,cookies,parameters

      Update the server.xml file to enable the audit:

      <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
      certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
      allRolesMode="authOnly"
      enableAudit="true"
      />

      Update the jboss-log4j.xml:

      Add a category:

      <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false">
      <priority value="TRACE"></priority>
      <appender-ref ref="AUDIT"/>
      </category>

      Uncomment the appender "AUDIT"

      Deploy any FORM authentication enabled application war, and login.

      The "audit.log" will show the password in clear.

      Show
      Enable auditing: Add the below option to JAVA_OPTS -Dorg.jboss.security.web.audit=headers,cookies,parameters Update the server.xml file to enable the audit: <Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="authOnly" enableAudit="true" /> Update the jboss-log4j.xml: Add a category: <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false"> <priority value="TRACE"></priority> <appender-ref ref="AUDIT"/> </category> Uncomment the appender "AUDIT" Deploy any FORM authentication enabled application war, and login. The "audit.log" will show the password in clear.
    • Release Notes
    • Low
    • Hide
      The <systemitem>j_password</systemitem> form field parameter was not filtered out of auditing logs, which caused unintended password exposure in the <filename>audit.log</filename> file. The underlying source code for audit logging has been enhanced to filter out the <systemitem>j_password</systemitem> parameter so that it no longer occurs in the <filename>audit.log</filename> file.
      Show
      The <systemitem>j_password</systemitem> form field parameter was not filtered out of auditing logs, which caused unintended password exposure in the <filename>audit.log</filename> file. The underlying source code for audit logging has been enhanced to filter out the <systemitem>j_password</systemitem> parameter so that it no longer occurs in the <filename>audit.log</filename> file.
    • Documented as Resolved Issue
    • NEW

    Description

      auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

      See: jbosssx/​ src/​ main/​ java/​ org/​ jboss/​ security/​ authorization/​ resources/​ WebResource.java

      Headers filter:
      180 if(headerName.contains("authorization") == false)
      181 sb.append(httpRequest.getHeader(headerName)).append(",");

      No filtering for params:

      197 sb.append(paramValues[i]).append("::");

      Suggested solution:

      197 if (!paramName.equalsIgnoreCase("j_password")) sb.append(paramValues[i]).append("::");

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. SECURITY-650 auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. JBPAPP-8369 CLONE - auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              olukas Ondrej Lukas (Inactive)
              tfonteyn Tom Fonteyne (Inactive)
              Petr Penicka Petr Penicka (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: