Details
-
Bug
-
Resolution: Done
-
Major
-
PicketBox_4_0_20.Beta1
-
None
Description
It was reported that the PicketBoxLogger interface logs the client credentials when TRACE level is set. Although we do not consider this a security flaw in itself, we do recommend that this be considered as a candidate for a security-in-depth fix.
At the very least, the default implementation should mask the authenticating user's credentials. The bindCredential value is already available in the configuration, however this too can be considered an issue if the configuration files use encrypted passwords.