[jboss-jira] [JBoss JIRA] (SECURITY-753) PicketBox Logger logging does not mask credentials when logging LDAP connection environment
Stefan Guilhen (JIRA)
jira-events at lists.jboss.org
Mon Oct 21 16:16:02 EDT 2013
Stefan Guilhen created SECURITY-753:
---------------------------------------
Summary: PicketBox Logger logging does not mask credentials when logging LDAP connection environment
Key: SECURITY-753
URL: https://issues.jboss.org/browse/SECURITY-753
Project: PicketBox
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: JBossSX
Affects Versions: PicketBox_4_0_20.Beta1
Reporter: Stefan Guilhen
Assignee: Stefan Guilhen
Fix For: PicketBox_4_0_20.Beta2
It was reported that the PicketBoxLogger interface logs the client credentials when TRACE level is set. Although we do not consider this a security flaw in itself, we do recommend that this be considered as a candidate for a security-in-depth fix.
At the very least, the default implementation should mask the authenticating user's credentials. The bindCredential value is already available in the configuration, however this too can be considered an issue if the configuration files use encrypted passwords.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list