[ejabberd] Security issue in debug log

Kretschmer, Felix Felix.Kretschmer at isw.uni-stuttgart.de
Tue Sep 1 20:28:46 MSK 2015


Just installed 15.07
Log says: 2015-09-01 19:19:12.158 [error] <0.38.0>@ejabberd_config:validate_opts:750 unknown option 'hide_sensitive_log_data' will be likely ignored


Von: ejabberd [mailto:ejabberd-bounces at jabber.ru] Im Auftrag von Mickaël Rémond
Gesendet: Dienstag, 1. September 2015 14:20
An: ejabberd at jabber.ru
Betreff: Re: [ejabberd] Security issue in debug log

Hello,

if you use debug log level (which you should probably avoid in prod) and do not want to see sensitive information, please use option:

hide_sensitive_log_data: true

You can find info about it here: http://docs.ejabberd.im/admin/guide/configuration/#logging

This is valid since ejabberd 15.07.

--
Mickaël Rémond

On Tue, Sep 1, 2015 at 2:07 PM, Kretschmer, Felix <Felix.Kretschmer at isw.uni-stuttgart.de<mailto:Felix.Kretschmer at isw.uni-stuttgart.de>> wrote:
Hi there,

while configuring an ejabberd installation at my server I just developed as in my opinion is considered a security issue.
The debug log contains passwords of users that are connection to the server. I checked if they are at least transmitted encrypted – yes they are.
But especially in large installations and an authentication via LDAP it is a security concern to get plain text passwords just by running a server with a debug log.

Is this by purpose?

Thanks for any responses.
Felix

--
Dipl.-Ing. Felix Kretschmer
Universität Stuttgart
Institut für Steuerungstechnik der Werkzeugmaschinen und Fertigungseinrichtungen (ISW)

Seidenstraße 36
70174 Stuttgart
GERMANY

T: +49 711 685-82534<tel:%2B49%20711%20685-82534> | F: +49 711 685-82808<tel:%2B49%20711%20685-82808>
E: felix.kretschmer at isw.uni-stuttgart.de<mailto:felix.kretschmer at isw.uni-stuttgart.de>
W: http://www.isw.uni-stuttgart.de<http://www.isw.uni-stuttgart.de/>
X: https://www.xing.com/profile/Felix_Kretschmer4


_______________________________________________
ejabberd mailing list
ejabberd at jabber.ru<mailto:ejabberd at jabber.ru>
http://lists.jabber.ru/mailman/listinfo/ejabberd



--
Mickaël Rémond
 http://www.process-one.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20150901/1c681944/attachment.html>


More information about the ejabberd mailing list