[ejabberd] Security issue in debug log

Kretschmer, Felix Felix.Kretschmer at isw.uni-stuttgart.de
Wed Sep 2 18:56:36 MSK 2015


Hi,
There you go.
2015-09-02 17:08:18.551 [debug] <0.359.0>@eldap:bind_request:1150 Bind Request Message:{'LDAPMessage',1,{bindRequest,{'BindRequest',3,<<"ISW\\RootDN">>,{simple,<<"passwordOfRootDN">>}}},asn1_NOVALUE}
2015-09-02 17:08:22.911 [debug] <0.359.0>@eldap:send_command:827 {bindRequest,{'BindRequest',3,<<"CN=Felix Kretschmer, OU=Users,DC=isw,DC=uni-stuttgart,DC=de">>,{simple,<<"passwordOfUser">>}}}

After I used the universal installer I don’t have the source code here to test it.
But thanks for the response. Just wanted to get security up-to-date after it is a major topic of our research in machine control engineering. :)


-----Ursprüngliche Nachricht-----
Von: ejabberd [mailto:ejabberd-bounces at jabber.ru] Im Auftrag von Badlop
Gesendet: Mittwoch, 2. September 2015 17:45
An: ejabberd at jabber.ru
Betreff: Re: [ejabberd] Security issue in debug log

Ah right! Because right now that option is only used to hide IP addresses.

Passwords are not logged when using internal auth, and I don't have LDAP setup for debugging.

Can you show example lines from your log that mention the passwords?

By the way, if you can edit the source code, it's easy to hide any element. For example, in this log line I'll hide the JID:

--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -638,7 +638,7 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
                  {true, AuthModule} ->
                        ?INFO_MSG("(~w) Accepted legacy authentication for ~s by ~p from ~s",
                                  [StateData#state.socket,
-                                  jlib:jid_to_string(JID), AuthModule,
+
ejabberd_config:may_hide_data(jlib:jid_to_string(JID)), AuthModule,

ejabberd_config:may_hide_data(jlib:ip_to_list(StateData#state.ip))]),
                        ejabberd_hooks:run(c2s_auth_result,
StateData#state.server,
                                           [true, U, StateData#state.server,

Since then, the lines instead of:
  Accepted legacy authentication for user1 at localhost/tka1 by ...
will say:
  Accepted legacy authentication for hidden_by_ejabberd by ...


--
Badlop
ProcessOne

On 2 September 2015 at 17:10, Kretschmer, Felix <Felix.Kretschmer at isw.uni-stuttgart.de> wrote:
> Hi there,
>
> just checked and this is not correct. Still see the data although the variable is set. - No Update applied.
> I still get the password of all users as well as the password of the ldap_rootdn.
>
> Sorry about that.
> felix
>
> -----Ursprüngliche Nachricht-----
> Von: ejabberd [mailto:ejabberd-bounces at jabber.ru] Im Auftrag von 
> Mickaël Rémond
> Gesendet: Mittwoch, 2. September 2015 14:28
> An: ejabberd at jabber.ru
> Betreff: Re: [ejabberd] Security issue in debug log
>
> Hello,
>
> On 2 Sep 2015, at 13:48, Badlop wrote:
>
>> Oh, I forgot to add the option verification when wrote it.
>>
>> Here is the fix, in case you can apply it:
>> https://github.com/processone/ejabberd/commit/1bc2c8cbb16f0186953dbe5
>> b
>> 7eb71660e1e3c5f7
>
> Please, note that it means the option is working, despite the error message. It means it will work as expected even if you do not apply the update yet.
>
> Thanks for the feedback !
>
> --
> Mickaël Rémond
>   http://www.process-one.net
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
_______________________________________________
ejabberd mailing list
ejabberd at jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd


More information about the ejabberd mailing list