Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-753

PicketBox Logger logging does not mask credentials when logging LDAP connection environment

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • PicketBox_4_0_20.Beta2
    • PicketBox_4_0_20.Beta1
    • JBossSX
    • None

    Description

      It was reported that the PicketBoxLogger interface logs the client credentials when TRACE level is set. Although we do not consider this a security flaw in itself, we do recommend that this be considered as a candidate for a security-in-depth fix.

      At the very least, the default implementation should mask the authenticating user's credentials. The bindCredential value is already available in the configuration, however this too can be considered an issue if the configuration files use encrypted passwords.

      Attachments

        Activity

          People

            sguilhen Stefan Guilhen
            sguilhen Stefan Guilhen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: