Hi, thanks for the advice, but the safety of the Post isn't the problem. Rather the safety of the customers data in the logfiles.
Cheers, Thomas Newman, John W schrieb: > Yeah, it probably shouldn't log stripes:password values, but really that post > has to be under SSL or you're still open to much larger problems. > > Unencrypted Login Form/Password Sent in the Clear > An unencrypted login form has been discovered. Any area of a web application > that possibly contains sensitive information or access to privileged > functionality such as remote site administration functionality should utilize > SSL or another form of encryption to prevent login information from being > sniffed or otherwise intercepted or stolen. A page containing a login form > should be SSL as well as the Action of the form. This will prevent > Man-in-the-Middle attacks on the login form. Recommendations include ensuring > that sensitive areas of your web application have proper encryption protocols > in place to prevent login information and other data that could be helpful to > an attacker from being intercepted. > > SOLUTION > For Security Operations: > Ensure that sensitive areas of your web application have proper encryption > protocols in place to prevent login information and other data that could be > helpful to an attacker from being intercepted. > > For Development: > Ensure that sensitive areas of your web application have proper encryption > protocols in place to prevent login information and other data that could be > helpful to an attacker from being intercepted. > > For QA: > Test the application not only from the perspective of a normal user, but also > from the perspective of a malicious one. > > > > -----Original Message----- > From: Thomas Schlosser [mailto:[email protected]] > Sent: Tuesday, April 14, 2009 3:17 PM > To: [email protected] > Subject: [Stripes-users] Password Logging as plain text > > Hi, > I have found out that stripes logs the values(also values from > stipes-password-tag) as plain text, when the Validation-annotation is > used with the required-param. > 2009-04-14 17:13:08,246 DEBUG [http-8080-Processor25] (Log.java:183) - > Checking required field: password, with values: [secret] > > I think this is a security hole, therefore I wrote my own > ActionBeanPropertyBinder and removed the logging of the value. > But isn't it a generally problem, which should be fixed in the > DefaultActionBeanPropertyBinder? > > Cheers, > Thomas > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > High Quality Requirements in a Collaborative Environment. > Download a free trial of Rational Requirements Composer Now! > http://p.sf.net/sfu/www-ibm-com > _______________________________________________ > Stripes-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/stripes-users > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > High Quality Requirements in a Collaborative Environment. > Download a free trial of Rational Requirements Composer Now! > http://p.sf.net/sfu/www-ibm-com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
