[ejabberd] Security issue in debug log

Badlop badlop at gmail.com
Thu Sep 3 17:31:12 MSK 2015


Ok, I've added a pair of uses of that option in eldap.erl

Now it logs this:
...
16:22:22.671 [debug] {searchRequest,"hidden_by_ejabberd"}
16:22:22.672 [debug]
{searchResEntry,{'SearchResultEntry',<<"cn=robin,ou=users,dc=pike">>,[{'PartialAttributeList_SEQOF',<<"cn">>,[<<"robin">>]}]}}
16:22:22.672 [debug]
{searchResDone,{'LDAPResult',success,<<>>,<<>>,asn1_NOVALUE}}
16:22:22.672 [debug] {bindRequest,"hidden_by_ejabberd"}
...
as it isn't possible to fine-grain further the information logged from LDAP.


--
Badlop
ProcessOne


On 2 September 2015 at 17:56, Kretschmer, Felix
<Felix.Kretschmer at isw.uni-stuttgart.de> wrote:
> Hi,
> There you go.
> 2015-09-02 17:08:18.551 [debug] <0.359.0>@eldap:bind_request:1150 Bind Request Message:{'LDAPMessage',1,{bindRequest,{'BindRequest',3,<<"ISW\\RootDN">>,{simple,<<"passwordOfRootDN">>}}},asn1_NOVALUE}
> 2015-09-02 17:08:22.911 [debug] <0.359.0>@eldap:send_command:827 {bindRequest,{'BindRequest',3,<<"CN=Felix Kretschmer, OU=Users,DC=isw,DC=uni-stuttgart,DC=de">>,{simple,<<"passwordOfUser">>}}}
>
> After I used the universal installer I don’t have the source code here to test it.
> But thanks for the response. Just wanted to get security up-to-date after it is a major topic of our research in machine control engineering. :)
>
>
> -----Ursprüngliche Nachricht-----
> Von: ejabberd [mailto:ejabberd-bounces at jabber.ru] Im Auftrag von Badlop
> Gesendet: Mittwoch, 2. September 2015 17:45
> An: ejabberd at jabber.ru
> Betreff: Re: [ejabberd] Security issue in debug log
>
> Ah right! Because right now that option is only used to hide IP addresses.
>
> Passwords are not logged when using internal auth, and I don't have LDAP setup for debugging.
>
> Can you show example lines from your log that mention the passwords?
>
> By the way, if you can edit the source code, it's easy to hide any element. For example, in this log line I'll hide the JID:
>
> --- a/src/ejabberd_c2s.erl
> +++ b/src/ejabberd_c2s.erl
> @@ -638,7 +638,7 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
>                   {true, AuthModule} ->
>                         ?INFO_MSG("(~w) Accepted legacy authentication for ~s by ~p from ~s",
>                                   [StateData#state.socket,
> -                                  jlib:jid_to_string(JID), AuthModule,
> +
> ejabberd_config:may_hide_data(jlib:jid_to_string(JID)), AuthModule,
>
> ejabberd_config:may_hide_data(jlib:ip_to_list(StateData#state.ip))]),
>                         ejabberd_hooks:run(c2s_auth_result,
> StateData#state.server,
>                                            [true, U, StateData#state.server,
>
> Since then, the lines instead of:
>   Accepted legacy authentication for user1 at localhost/tka1 by ...
> will say:
>   Accepted legacy authentication for hidden_by_ejabberd by ...
>
>
> --
> Badlop
> ProcessOne
>
> On 2 September 2015 at 17:10, Kretschmer, Felix <Felix.Kretschmer at isw.uni-stuttgart.de> wrote:
>> Hi there,
>>
>> just checked and this is not correct. Still see the data although the variable is set. - No Update applied.
>> I still get the password of all users as well as the password of the ldap_rootdn.
>>
>> Sorry about that.
>> felix
>>
>> -----Ursprüngliche Nachricht-----
>> Von: ejabberd [mailto:ejabberd-bounces at jabber.ru] Im Auftrag von
>> Mickaël Rémond
>> Gesendet: Mittwoch, 2. September 2015 14:28
>> An: ejabberd at jabber.ru
>> Betreff: Re: [ejabberd] Security issue in debug log
>>
>> Hello,
>>
>> On 2 Sep 2015, at 13:48, Badlop wrote:
>>
>>> Oh, I forgot to add the option verification when wrote it.
>>>
>>> Here is the fix, in case you can apply it:
>>> https://github.com/processone/ejabberd/commit/1bc2c8cbb16f0186953dbe5
>>> b
>>> 7eb71660e1e3c5f7
>>
>> Please, note that it means the option is working, despite the error message. It means it will work as expected even if you do not apply the update yet.
>>
>> Thanks for the feedback !
>>
>> --
>> Mickaël Rémond
>>   http://www.process-one.net
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd


More information about the ejabberd mailing list