[ejabberd] Security issue in debug log

Mickaël Rémond mremond at process-one.net
Tue Sep 1 15:20:14 MSK 2015


Hello,

if you use debug log level (which you should probably avoid in prod) and do
not want to see sensitive information, please use option:

hide_sensitive_log_data: true

You can find info about it here:
http://docs.ejabberd.im/admin/guide/configuration/#logging

This is valid since ejabberd 15.07.

-- 
Mickaël Rémond

On Tue, Sep 1, 2015 at 2:07 PM, Kretschmer, Felix <
Felix.Kretschmer at isw.uni-stuttgart.de> wrote:

> Hi there,
>
>
>
> while configuring an ejabberd installation at my server I just developed
> as in my opinion is considered a security issue.
>
> The debug log contains passwords of users that are connection to the
> server. I checked if they are at least transmitted encrypted – yes they are.
>
> But especially in large installations and an authentication via LDAP it is
> a security concern to get plain text passwords just by running a server
> with a debug log.
>
>
>
> Is this by purpose?
>
>
>
> Thanks for any responses.
>
> Felix
>
>
>
> --
> Dipl.-Ing. Felix Kretschmer
> Universität Stuttgart
> Institut für Steuerungstechnik der Werkzeugmaschinen und
> Fertigungseinrichtungen (ISW)
>
>
> Seidenstraße 36
> 70174 Stuttgart
> GERMANY
>
>
> T: +49 711 685-82534 | F: +49 711 685-82808
> E: felix.kretschmer at isw.uni-stuttgart.de
> W: http://www.isw.uni-stuttgart.de
>
> X: https://www.xing.com/profile/Felix_Kretschmer4
>
>
>
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
>


-- 
Mickaël Rémond
 http://www.process-one.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20150901/48ba6704/attachment.html>


More information about the ejabberd mailing list