[ejabberd] Security issue in debug log

Badlop badlop at gmail.com
Wed Sep 2 14:48:48 MSK 2015


Oh, I forgot to add the option verification when wrote it.

Here is the fix, in case you can apply it:
https://github.com/processone/ejabberd/commit/1bc2c8cbb16f0186953dbe5b7eb71660e1e3c5f7

--
Badlop
ProcessOne

--

On 1 September 2015 at 19:28, Kretschmer, Felix
<Felix.Kretschmer at isw.uni-stuttgart.de> wrote:
> Just installed 15.07
>
> Log says: 2015-09-01 19:19:12.158 [error]
> <0.38.0>@ejabberd_config:validate_opts:750 unknown option
> 'hide_sensitive_log_data' will be likely ignored
>
>
>
>
>
> Von: ejabberd [mailto:ejabberd-bounces at jabber.ru] Im Auftrag von Mickaël
> Rémond
> Gesendet: Dienstag, 1. September 2015 14:20
> An: ejabberd at jabber.ru
> Betreff: Re: [ejabberd] Security issue in debug log
>
>
>
> Hello,
>
>
>
> if you use debug log level (which you should probably avoid in prod) and do
> not want to see sensitive information, please use option:
>
>
>
> hide_sensitive_log_data: true
>
>
>
> You can find info about it here:
> http://docs.ejabberd.im/admin/guide/configuration/#logging
>
>
>
> This is valid since ejabberd 15.07.
>
>
>
> --
>
> Mickaël Rémond
>
>
>
> On Tue, Sep 1, 2015 at 2:07 PM, Kretschmer, Felix
> <Felix.Kretschmer at isw.uni-stuttgart.de> wrote:
>
> Hi there,
>
>
>
> while configuring an ejabberd installation at my server I just developed as
> in my opinion is considered a security issue.
>
> The debug log contains passwords of users that are connection to the server.
> I checked if they are at least transmitted encrypted – yes they are.
>
> But especially in large installations and an authentication via LDAP it is a
> security concern to get plain text passwords just by running a server with a
> debug log.
>
>
>
> Is this by purpose?
>
>
>
> Thanks for any responses.
>
> Felix
>
>
>
> --
> Dipl.-Ing. Felix Kretschmer
> Universität Stuttgart
> Institut für Steuerungstechnik der Werkzeugmaschinen und
> Fertigungseinrichtungen (ISW)
>
>
> Seidenstraße 36
> 70174 Stuttgart
> GERMANY
>
>
> T: +49 711 685-82534 | F: +49 711 685-82808
> E: felix.kretschmer at isw.uni-stuttgart.de
> W: http://www.isw.uni-stuttgart.de
>
> X: https://www.xing.com/profile/Felix_Kretschmer4
>
>
>
>
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
>
>
>
>
> --
>
> Mickaël Rémond
>
>  http://www.process-one.net
>
>
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>


More information about the ejabberd mailing list