[ejabberd] Security issue in debug log

Badlop badlop at gmail.com
Wed Sep 2 18:44:59 MSK 2015

Ah right! Because right now that option is only used to hide IP addresses.

Passwords are not logged when using internal auth, and I don't have
LDAP setup for debugging.

Can you show example lines from your log that mention the passwords?

By the way, if you can edit the source code, it's easy to hide any
element. For example, in this log line I'll hide the JID:

--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -638,7 +638,7 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
                  {true, AuthModule} ->
                        ?INFO_MSG("(~w) Accepted legacy authentication
for ~s by ~p from ~s",
-                                  jlib:jid_to_string(JID), AuthModule,
ejabberd_config:may_hide_data(jlib:jid_to_string(JID)), AuthModule,

                                           [true, U, StateData#state.server,

Since then, the lines instead of:
  Accepted legacy authentication for user1 at localhost/tka1 by ...
will say:
  Accepted legacy authentication for hidden_by_ejabberd by ...


On 2 September 2015 at 17:10, Kretschmer, Felix
<Felix.Kretschmer at isw.uni-stuttgart.de> wrote:
> Hi there,
> just checked and this is not correct. Still see the data although the variable is set. - No Update applied.
> I still get the password of all users as well as the password of the ldap_rootdn.
> Sorry about that.
> felix
> -----Ursprüngliche Nachricht-----
> Von: ejabberd [mailto:ejabberd-bounces at jabber.ru] Im Auftrag von Mickaël Rémond
> Gesendet: Mittwoch, 2. September 2015 14:28
> An: ejabberd at jabber.ru
> Betreff: Re: [ejabberd] Security issue in debug log
> Hello,
> On 2 Sep 2015, at 13:48, Badlop wrote:
>> Oh, I forgot to add the option verification when wrote it.
>> Here is the fix, in case you can apply it:
>> https://github.com/processone/ejabberd/commit/1bc2c8cbb16f0186953dbe5b
>> 7eb71660e1e3c5f7
> Please, note that it means the option is working, despite the error message. It means it will work as expected even if you do not apply the update yet.
> Thanks for the feedback !
> --
> Mickaël Rémond
>   http://www.process-one.net
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd

More information about the ejabberd mailing list