Yeah, it probably shouldn't log stripes:password values, but really that post has to be under SSL or you're still open to much larger problems.
Unencrypted Login Form/Password Sent in the Clear An unencrypted login form has been discovered. Any area of a web application that possibly contains sensitive information or access to privileged functionality such as remote site administration functionality should utilize SSL or another form of encryption to prevent login information from being sniffed or otherwise intercepted or stolen. A page containing a login form should be SSL as well as the Action of the form. This will prevent Man-in-the-Middle attacks on the login form. Recommendations include ensuring that sensitive areas of your web application have proper encryption protocols in place to prevent login information and other data that could be helpful to an attacker from being intercepted. SOLUTION For Security Operations: Ensure that sensitive areas of your web application have proper encryption protocols in place to prevent login information and other data that could be helpful to an attacker from being intercepted. For Development: Ensure that sensitive areas of your web application have proper encryption protocols in place to prevent login information and other data that could be helpful to an attacker from being intercepted. For QA: Test the application not only from the perspective of a normal user, but also from the perspective of a malicious one. -----Original Message----- From: Thomas Schlosser [mailto:[email protected]] Sent: Tuesday, April 14, 2009 3:17 PM To: [email protected] Subject: [Stripes-users] Password Logging as plain text Hi, I have found out that stripes logs the values(also values from stipes-password-tag) as plain text, when the Validation-annotation is used with the required-param. 2009-04-14 17:13:08,246 DEBUG [http-8080-Processor25] (Log.java:183) - Checking required field: password, with values: [secret] I think this is a security hole, therefore I wrote my own ActionBeanPropertyBinder and removed the logging of the value. But isn't it a generally problem, which should be fixed in the DefaultActionBeanPropertyBinder? Cheers, Thomas ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
