[ejabberd] Security issue in debug log

Kretschmer, Felix Felix.Kretschmer at isw.uni-stuttgart.de
Tue Sep 1 15:07:13 MSK 2015


Hi there,

while configuring an ejabberd installation at my server I just developed as in my opinion is considered a security issue.
The debug log contains passwords of users that are connection to the server. I checked if they are at least transmitted encrypted - yes they are.
But especially in large installations and an authentication via LDAP it is a security concern to get plain text passwords just by running a server with a debug log.

Is this by purpose?

Thanks for any responses.
Felix

--
Dipl.-Ing. Felix Kretschmer
Universität Stuttgart
Institut für Steuerungstechnik der Werkzeugmaschinen und Fertigungseinrichtungen (ISW)

Seidenstraße 36
70174 Stuttgart
GERMANY

T: +49 711 685-82534 | F: +49 711 685-82808
E: felix.kretschmer at isw.uni-stuttgart.de<mailto:felix.kretschmer at isw.uni-stuttgart.de>
W: http://www.isw.uni-stuttgart.de<http://www.isw.uni-stuttgart.de/>
X: https://www.xing.com/profile/Felix_Kretschmer4

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20150901/ec2ab21e/attachment.html>


More information about the ejabberd mailing list