Logs store the user password in clear
-------------------------------------
Key: DIRSERVER-1544
URL: https://issues.apache.org/jira/browse/DIRSERVER-1544
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 1.5.7
Reporter: Emmanuel Lecharny
Priority: Blocker
Fix For: 2.0.0-RC1
When issuing a BindRequest with DEBUG log activated, the logs contain the user
password :
[11:02:51] DEBUG [org.apache.directory.server.ldap.handlers.BindHandler] -
Received: BindRequest
Version : '3'
Name : 'uid=elecharny,ou=People,dc=iktek,dc=com'
Simple authentication : 'My password/0x...'
This is a bit an issue, IMO...
Of course, if we dump the PDU, we will be able to get those info too, but it's
not really safe anyway.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
