[jboss-jira] [JBoss JIRA] (SECURITY-650) auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

[Tom Fonteyne (JIRA)]

     [ https://issues.jboss.org/browse/SECURITY-650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tom Fonteyne reassigned SECURITY-650:
-------------------------------------

    Assignee: Tom Fonteyne  (was: Anil Saldhana)

    
> auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-650
>                 URL: https://issues.jboss.org/browse/SECURITY-650
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: PicketBox
>    Affects Versions: JBossSecurity_2.0.4.SP9
>            Reporter: Tom Fonteyne
>            Assignee: Tom Fonteyne
>            Priority: Minor
>             Fix For: PicketBox_v4_0_8.Final
>
>
> auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
> See: jbosssx/​ src/​ main/​ java/​ org/​ jboss/​ security/​ authorization/​ resources/​ WebResource.java
> Headers filter:
> 180 if(headerName.contains("authorization") == false)
> 181 sb.append(httpRequest.getHeader(headerName)).append(",");
> No filtering for params:
> 197 sb.append(paramValues[i]).append("::");

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira