[jboss-jira] [JBoss JIRA] (SECURITY-753) PicketBox Logger logging does not mask credentials when logging LDAP connection environment
Stefan Guilhen (JIRA)
jira-events at lists.jboss.org
Mon Oct 21 17:37:02 EDT 2013
[ https://issues.jboss.org/browse/SECURITY-753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Guilhen resolved SECURITY-753.
-------------------------------------
Resolution: Done
The code now masks the credentials before calling the Logger.
> PicketBox Logger logging does not mask credentials when logging LDAP connection environment
> -------------------------------------------------------------------------------------------
>
> Key: SECURITY-753
> URL: https://issues.jboss.org/browse/SECURITY-753
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JBossSX
> Affects Versions: PicketBox_4_0_20.Beta1
> Reporter: Stefan Guilhen
> Assignee: Stefan Guilhen
> Fix For: PicketBox_4_0_20.Beta2
>
>
> It was reported that the PicketBoxLogger interface logs the client credentials when TRACE level is set. Although we do not consider this a security flaw in itself, we do recommend that this be considered as a candidate for a security-in-depth fix.
> At the very least, the default implementation should mask the authenticating user's credentials. The bindCredential value is already available in the configuration, however this too can be considered an issue if the configuration files use encrypted passwords.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list