Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-753

PicketBox Logger logging does not mask credentials when logging LDAP connection environment

    Details

      Description

      It was reported that the PicketBoxLogger interface logs the client credentials when TRACE level is set. Although we do not consider this a security flaw in itself, we do recommend that this be considered as a candidate for a security-in-depth fix.

      At the very least, the default implementation should mask the authenticating user's credentials. The bindCredential value is already available in the configuration, however this too can be considered an issue if the configuration files use encrypted passwords.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sguilhen Stefan Guilhen
                Reporter:
                sguilhen Stefan Guilhen
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: